[jira] [Commented] (DIRKRB-303) Discuss and possibly define Ldap schema for Kerby KDC

Thu, 18 Jun 2015 04:36:21 -0700 

    [ 
https://issues.apache.org/jira/browse/DIRKRB-303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14591671#comment-14591671
 ] 

Kai Zheng commented on DIRKRB-303:
----------------------------------

bq. No no, just one, that takes LdapConnection that is all, anything else makes 
Kerby heavy and bloated with LDAP code.
Hmm, wouldn't LdapConnection will incur a network overhead which isn't ideal 
for ApacheDS to use Kerby right? I thought it should be OK if the heavy codes 
are encapsulated in a separate pluggable module, not affecting other parts.
bq. This schema changes very very very rarely, if that ever happens.
I'm not sure. Currently only identity attributes for the classical Kerberos 
protocol are defined, how about we'll add more for the extended protocols like 
OTP and PKINIT in future? How about entries for authorization policies? Yes it 
mainly depends on how Kerby would develop and evolve.
bq. The above mentioned operational attribute is available in all LDAP servers.
Thanks for the knowledge. I do need to learn about the LDAP aspect.
bq. The highly beneficial thing is to just do a bit more research about how 
this all works with LDAP
Yeah, I agree. That's why we would have this and learn about from experts like 
you. More research is definitely a must, if we're going to sort out a solid 
decent Kerberos KDC schema for Kerby project. We at least should learn about 
how it goes in MIT Kerberos, MS-AD, and Heimdal.

> Discuss and possibly define Ldap schema for Kerby KDC
> -----------------------------------------------------
>
>                 Key: DIRKRB-303
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-303
>             Project: Directory Kerberos
>          Issue Type: New Feature
>            Reporter: Xu Yaning
>
> As discussed in DIRKRB-293 with [~akiran] and [~seelmann], it might be good 
> to discuss and possibly define an LDAP schema for Kerby KDC based on the one 
> present in ApacheDS ({{krb5kdc}}). This particularly works for the long term, 
> as for now only a few identity attributes are supported in Kerby, some time 
> later we'll need to enhance and support much more ones that's likely not 
> existing in the ApacheDS's schema krb5kdc.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to