directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Emmanuel Lecharny (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DIRKRB-303) Discuss and possibly define Ldap schema for Kerby KDC
Date Thu, 18 Jun 2015 15:28:01 GMT

    [ https://issues.apache.org/jira/browse/DIRKRB-303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14591968#comment-14591968
] 

Emmanuel Lecharny commented on DIRKRB-303:
------------------------------------------

Kai, I see two options here :

- either you want to have kerby not tighly coupled with ApacheDS, then using {{LdapNetworkConnection}}
is that way to go
- or you want to save the network roundtrip, and you should use the {{LdapCoreSessionConnection}}

I think both could work hands in hands, it's just a matter of configuration. By all means,
{{LdapConnection}} is an interface, so your code should be ok.


Schema : I suggest you create your own schema for what is not yet in the standard kerberos.schema.
If you have a doubt, please ask. For instance, your idea to create a {{krb5kvno}} or {{krb5AccountCreateTime}}
could be a bit spurious, if you already have attributes that does the same thing. Kiran provided
some pointers. Now, if you really need to define some specific attribute with a different
semantic (thinking about {{krb5AccountCreateTime}} here), I think that having a separate schema
is not necessarily a bad idea.

Now, consider this : defining such a schema will make it more complex to setup Kerby on top
of an external LDAP server, as you'll have to declare this specific schema.

> Discuss and possibly define Ldap schema for Kerby KDC
> -----------------------------------------------------
>
>                 Key: DIRKRB-303
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-303
>             Project: Directory Kerberos
>          Issue Type: New Feature
>            Reporter: Xu Yaning
>
> As discussed in DIRKRB-293 with [~akiran] and [~seelmann], it might be good to discuss
and possibly define an LDAP schema for Kerby KDC based on the one present in ApacheDS ({{krb5kdc}}).
This particularly works for the long term, as for now only a few identity attributes are supported
in Kerby, some time later we'll need to enhance and support much more ones that's likely not
existing in the ApacheDS's schema krb5kdc.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message