Thank you very much for clarifying this issue- Best regards R. Laatsch On Tue, 30 Oct 2012, Booker Bense wrote:
> On Tue, Oct 30, 2012 at 11:57 AM, Rainer Laatsch <[email protected]> wrote: >> >> >> >> On Fri, 26 Oct 2012, Booker Bense wrote: >> >>> Do yourself a big favor and put kerberos entities in ou=Accounts. >>> There is not a one to one >>> relationship between accounts and people and you will make your life >>> much easier in the >>> future if you clearly make the split now. >> >> >> How and when would errors show up (if no split) ? >> > > There would not be errors per se, but ideally you'd like to use the ldap > interface for more than just kerberos. There are many attributes that > should apply to a Person, that don't map well to an Account, particularly > if people end up having more than one account. If you stick with just > accounts and people have more than one account, you run into real > problems if you want to store data about the person and not just the account. > > ( Simple example, Name changes when people get married, etc... ) > > And you also avoid the issue of confusing identity with privilege. Separating > People and Accounts will help you avoid the authorization issues that > arise if you can't > clearly separate identity from authorization. > > 12+ years ago when I was involved in the design of the Stanford > SunetID system we spend > a lot of time going back and forth about the pros and cons of each > approach. I think time > has clearly shown that splitting them into two buckets was the right choice. > > - Booker C. Bense > ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
