[29972] in Kerberos
Re: Principal attributes and policy in LDAP Realm
daemon@ATHENA.MIT.EDU (Klaus Heinrich Kiwi)
Mon Jun 16 22:59:05 2008
From: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
To: Ken Raeburn <raeburn@mit.edu>
In-Reply-To: <12D94319-C190-4D6A-97B9-7827950744C0@mit.edu>
Date: Mon, 16 Jun 2008 23:58:03 -0300
Message-Id: <1213671483.17827.35.camel@klausk.br.ibm.com>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Mon, 2008-06-16 at 19:25 -0400, Ken Raeburn wrote:
> The "application" data in question is indeed the MIT KDC
> implementation; all this stuff is internal to the MIT implementation.
> In src/include/kdb.h you'll find definitions of some macros KRB5_TL_*
> vaguely describing in their names what they're used for; for the
> actual definitions of the layouts, you'll have to dig around in the
> sources. At the moment, it's sort of a catch-all slot for holding
> anything new we want to stick in there without having to redefine the
> XDR types we use for database records (since the old DBM-style APIs
> only give you "key" and "data" slots), stuff like that.
Ken,
thank you for your explanation. I'm still a bit confused about how KDC
uses the TL data at the same time the KDB LDAP plugin also has some
specific uses for it (for example KDB_TL_USERDN). Can 'krbExtraData'
accommodate any kind of attribute we think of, just by making sure the
type numbers doesn't collide? Or is it working some other way? Also, is
tl_data an attribute for principals, realms, or both?
I'm working towards changing the upstream KDB LDAP plugin into
supporting the IBM Schema, and that Schema brings a lot of things as
attributes for principals and realms - I'm just trying to make sure to
reuse the existing internal data structures whenever possible.
Thanks,
-Klaus
--
Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Linux Security Development, IBM Linux Technology Center
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
