LDAP schema questions

[Savitha R]

>>> On Tue, Jun 20, 2006 at  1:38 pm, in message
<200606201338.k5KDcDFk064537 at au.padl.com>, Luke Howard <lukeh at padl.com>
wrote:


>>In the current implementation, all the attributes and its values
(except for 
> krbsecretkey)
>>are shared by all the principals attached to a user. 
>>
>>We understand that some of these attribute values(like principal
expiration 
> time
>>and password expiration time) may differ between principals. We are
looking 
> at 
>>creating separate principal objects when more than one principal is 
> associated 
>>with a user object.
> 
> The "user" is a construction internal to eDirectory, correct? So

By "user" I was referring to any class/object (person, inetorgperson) 
used to represent a user in a LDAP directory.

> the current implementation should not care what structural class
> user principals are associated with as long as it is not
> krbPrincipalAux? 

Currently, the krbPrincipalAux class can be attached to any structural
class.

> ie. is there anything in the code which actually
> cares about the association between krbPrincipal and a user, apart
> from possibly UP synchronization?

No, currently only the eDirectory specific code uses the  
association between Kerberos principal and user. 
  
> (Again, I think that using the object class to determine principal
> type is undesirable but see previous mail.)

As Praveen has mentioned, we are thinking of not using the objectclass
to determine the principal type.

Thanks
Savitha