question about princ type assignment in krb5_ldap_get_principal()
Nicolas Williams
Nicolas.Williams at sun.com
Tue Jun 20 12:01:13 EDT 2006
On Tue, Jun 20, 2006 at 11:40:19PM +1000, Luke Howard wrote:
> >Based on the decision, the logic will be changed but we have planned to
> >move away from the logic of deciding the principal type based on the
> >object class the principal belongs to.
>
> My thought is that Novell should do whatever is most appropriate for
> eDirectory, including determining the principal type from the object
> class, but that a reference implementation of an LDAP backend should
> not do this.
I'd advise against this feature period.
The KDB need not store principal type information, but if it does then
it should be accurate and not heuristic.
That said, the kadmin protocol is another story. As long as there be
multiple object classes for representing principals then kadmind will
have to be able to determine what the right class for a given new
principal should be given only whatever information the kadmin client
may have furnished (i.e., just the principal name).
So there is room for principal typing logic, but only on principal
creation.
Also the kadmin protocol needs to be extended to support passing
principal typing information on principal creation (and modification?).
This could be done with a TL data type...
Nico
--
More information about the krbdev
mailing list