directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ersin Er" <>
Subject Re: LDAP Triggers use cases: Need for real world data
Date Sat, 15 Jul 2006 22:50:00 GMT
On 7/15/06, Enrique Rodriguez <> wrote:
> Ersin Er wrote:
> > Enrique Rodriguez wrote:
> >> Ersin Er wrote:
> ...
> > So the Change Password Protocol provider is currently able to do this
> > generation/conversion but the Core and LDAP Protocol Provider are not
> > aware of this, right?
> Correct.  Change Password protocol provider can also enforce password
> policy (minimum length, character mix, etc.) which at some point should
> be enforced globally.

One more question: Change Password Protocol does not use clear text
passwords, right? So we'll never be able to keep LDAP and Kerberos
passwords in sync, right?

> ...
> > OK, so we'll have Triggers for modification type operations for the
> > ou=Users based subtree. Is it reasonable to do this with an AFTER
> > Trigger so that the Kerberos related attributes will be updated just
> > after the entry has been added/modified? Because I'm not sure whether
> > we'll support modification of request parameters inside triggered stored
> > procedures.
> I think this makes sense.

Well, I have futher investigated this and saw that Kerberos related
object class does not require the password related attribute to exist
mandatorily. So it's ok to have an object class for Kerberos and not
having the password attribute and adding the password attribute with
another operation. So there is no pb here.

> ...
> >> By using triggers we can address this need server-side, and not
> >> require any custom client side logic to derive keys from passwords.
> >> This will make the use of Apache Directory with Kerberos much easier.
> > More hints are welcome ;-) We may also have an IRC session on
> > implementing this. I'll finish the preliminary version of triggers for
> > playing with in a few days.
> I am really looking forward to this.  This is going to make working with
> Kerberos way more user-friendly.

I will complete it very soon. I'm a bit busy daily stuff. It will be
nice to provide some solution with our baby system. :)

> Enrique


View raw message