LDAP schema and TL_DATA?

greg@enjellic.com greg at enjellic.com
Fri Mar 17 16:18:15 EST 2006 

On Mar 15,  5:46am, Sam Hartman wrote:
} Subject: Re: LDAP schema and TL_DATA?

Good day to everyone.

> I'd rather not block on this issue.  There is a real design question
> outstanding and I don't know how to resolve it.
>
> If someone proposes a better mechanism now and claims we need to
> block on this issue I'd be happy to consider doing so.

I've been thinking about the TL_DATA issue for about a year and a half
now.  Our plug-in architecture currently uses a self-defined TL_DATA
datatype for storing a master key encrypted copy of the raw user
password.

I toyed with the idea of implementing a registration function in the
extensibility framework we developed which would allow a plug-in to
request an unused TL_DATA type specification.  This certainly fails
beyond the scope of a particular implementation/database.

I'm currently working on resolving architectural issues with bolting
NTLM support onto the MIT KDC though our plug-in architecture.  If
this proves popular the issue of our self-selected TL_DATA datatype
value becomes problematic.

MIT may want to consider 'registering' TL_DATA tagnames.  I wouldn't
care what the actual 'number' is as long as I can register a unique
name with the KDC and get a 'token' I can use to set a .tl_data_type
structure element.

Now is the time to fix this though.

A possible interim solution might be to 'officially' declare an
invariant KRB5_TL_TYPES value in src/include/krb5/kdb.h as a
placeholder.  The all singing/all dancing registration function can
use that as a known identity for tracking down TAGNAME/value
correspondence within the context of a given database.

> --Sam

Its not if KDC's are going to be extended but how.  Prudence dictates
resolving this sooner than later.

Greg

}-- End of excerpt from Sam Hartman

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"Open source code is not guaranteed nor does it come with a warranty."
                                -- the Alexis de Tocqueville Institute

"I guess that's in contrast to proprietary software, which comes with
 a money-back guarantee, and free on-site repairs if any bugs are found."
                                -- Rary

More information about the krbdev mailing list