LDAP schema questions

Savitha R rsavitha at novell.com
Tue Jun 20 07:19:24 EDT 2006 


>>> On Wed, Jun 14, 2006 at  5:52 am, in message <20060614002237.GF29380 at sun.com>,
Will Fiveash <William.Fiveash at sun.com> wrote: 
> 
> Just as a refresher, the current Novell/MIT schema has this:
> 
> ###### The principal data auxiliary class. Holds principal information
> ###### and is used to store principal information for Users and any 
> services.
> dn: cn=schema
> changetype: modify
> add: objectclasses
> objectClasses: ( 2.16.840.1.113719.1.301.6.8
>                 NAME 'krbPrincipalAux'
>                 AUXILIARY
>                 MAY ( krbPrincipalName $ krbUPEnabled $ krbSecretKey $
>                       krbPolicyReference $ krbPrincipalExpiration $
>                       krbPasswordExpiration ) )
> 
> ###### This object is created to hold principals of type other than USER.
> 
> dn: cn=schema
> changetype: modify
> add: objectclasses
> objectClasses: ( 2.16.840.1.113719.1.301.6.9
>                 NAME 'krbPrincipal'
>                 SUP ( top )
>                 MUST ( krbPrincipalName )
>                 MAY ( krbPrincipalType )
>                 X-  NDS_NAMING 'krbPrincipalName'
>                 X-  NDS_CONTAINMENT ( 'organization' 'organizationalUnit'
>                                     'domain' 'krbRealmContainer'
>                                     'country' 'locality' )
>                 X-  NDS_NOT_CONTAINER '1')
> 
> #######################################################################
> 
> All the principal attributes are in the aux. class krbPrincipalAux and
> can be mixed with arbitrary structural object classes.
> 
> While krbSecretKey contains the principal name to associate it with a
> principal, the other attributes do not.  I'm assuming then that the only
> way to associate more than 1 principal with a user requires use of a
> krbPrincipal object if the krbPrincipalAux attributes differ between the
> principals.  Is this correct?

In the current implementation, all the attributes and its values (except for krbsecretkey)
are shared by all the principals attached to a user. 

We understand that some of these attribute values(like principal expiration time
and password expiration time) may differ between principals. We are looking at 
creating separate principal objects when more than one principal is associated 
with a user object.

Thanks
Savitha

More information about the krbdev mailing list