On Tue, Oct 30, 2012 at 11:57 AM, Rainer Laatsch <[email protected]> wrote: > > > > On Fri, 26 Oct 2012, Booker Bense wrote: > >> Do yourself a big favor and put kerberos entities in ou=Accounts. >> There is not a one to one >> relationship between accounts and people and you will make your life >> much easier in the >> future if you clearly make the split now. > > > How and when would errors show up (if no split) ? >
There would not be errors per se, but ideally you'd like to use the ldap interface for more than just kerberos. There are many attributes that should apply to a Person, that don't map well to an Account, particularly if people end up having more than one account. If you stick with just accounts and people have more than one account, you run into real problems if you want to store data about the person and not just the account. ( Simple example, Name changes when people get married, etc... ) And you also avoid the issue of confusing identity with privilege. Separating People and Accounts will help you avoid the authorization issues that arise if you can't clearly separate identity from authorization. 12+ years ago when I was involved in the design of the Stanford SunetID system we spend a lot of time going back and forth about the pros and cons of each approach. I think time has clearly shown that splitting them into two buckets was the right choice. - Booker C. Bense ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
