[jira] [Commented] (DIRKRB-303) Discuss and possibly define Ldap schema for Kerby KDC

Thu, 18 Jun 2015 08:28:38 -0700 

    [ 
https://issues.apache.org/jira/browse/DIRKRB-303?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14591968#comment-14591968
 ] 

Emmanuel Lecharny commented on DIRKRB-303:
------------------------------------------

Kai, I see two options here :

- either you want to have kerby not tighly coupled with ApacheDS, then using 
{{LdapNetworkConnection}} is that way to go
- or you want to save the network roundtrip, and you should use the 
{{LdapCoreSessionConnection}}

I think both could work hands in hands, it's just a matter of configuration. By 
all means, {{LdapConnection}} is an interface, so your code should be ok.


Schema : I suggest you create your own schema for what is not yet in the 
standard kerberos.schema. If you have a doubt, please ask. For instance, your 
idea to create a {{krb5kvno}} or {{krb5AccountCreateTime}} could be a bit 
spurious, if you already have attributes that does the same thing. Kiran 
provided some pointers. Now, if you really need to define some specific 
attribute with a different semantic (thinking about {{krb5AccountCreateTime}} 
here), I think that having a separate schema is not necessarily a bad idea.

Now, consider this : defining such a schema will make it more complex to setup 
Kerby on top of an external LDAP server, as you'll have to declare this 
specific schema.

> Discuss and possibly define Ldap schema for Kerby KDC
> -----------------------------------------------------
>
>                 Key: DIRKRB-303
>                 URL: https://issues.apache.org/jira/browse/DIRKRB-303
>             Project: Directory Kerberos
>          Issue Type: New Feature
>            Reporter: Xu Yaning
>
> As discussed in DIRKRB-293 with [~akiran] and [~seelmann], it might be good 
> to discuss and possibly define an LDAP schema for Kerby KDC based on the one 
> present in ApacheDS ({{krb5kdc}}). This particularly works for the long term, 
> as for now only a few identity attributes are supported in Kerby, some time 
> later we'll need to enhance and support much more ones that's likely not 
> existing in the ApacheDS's schema krb5kdc.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to