[8575] in Info-AFS_Redistribution
Re: afs pts schema?
daemon@ATHENA.MIT.EDU (Leif Johansson)
Thu Mar 15 03:09:52 2001
Message-Id: <200103150801.JAA06207@mail.su.se>
To: Russ Allbery <rra@stanford.edu>
cc: info-afs@transarc.com
In-Reply-To: Message from Russ Allbery <rra@stanford.edu>
of "14 Mar 2001 19:41:53 PST." <yl66hbzoji.fsf@windlord.stanford.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Thu, 15 Mar 2001 09:01:09 +0100
From: Leif Johansson <leifj@it.su.se>
> Marcus Watts <mdw@umich.edu> writes:
>
> > Openldap tracks groups in groups by DN, so changing names
> > is *real* painful.
>
> The standard solution to this problem for any sort of directory-like
> system is to just not use the user-visible name as a DN. In general,
> that's a good idea for a whole bunch of reasons; the properties that users
> want in names quite frequently conflict with the properties of a system
> unique identifier.
>
> We use machine-generated unique IDs for DNs in our directory of people.
> PTS already does something similar by using negative numbers for group
> identifiers.
>
> LDAP is good at being able to search and retrieve by things that aren't
> the unique identifiers.
Yes, in fact there is some work in the ietf and other places now to
write schema for a KDC which will probably be the way the unique id
for a user (i.e something like kdcPrincipal) is done.
Cheers Leif
