kdb5_util load mix-in operation
Will Fiveash
William.Fiveash at sun.com
Thu Oct 19 22:06:45 EDT 2006
On Thu, Oct 19, 2006 at 06:05:36PM -0500, Will Fiveash wrote:
> On Thu, Oct 19, 2006 at 04:40:49PM -0400, Sam Hartman wrote:
> > Have you considered the performance without this optimization and
> > confirmed it would be problematic?
> >
> > This seems significant complexity to add if not required.
>
> The code does a search for each subtree set in the realm container
> object to find any entries containing the matching krbprincipalname
> attribute. Nico was just expressing the same opinion and I can see your
> point. I could eliminate the -x mixin arg easily and mixin would be the
> default behavior when doing a kdb5_util load. If you are okay with that
> I'll make that change which will make the code somewhat simpler (it was
> a pain getting that arg to krb5_ldap_put_principal().
Anyway, I now have mix-in working for the kdb5_util load. If the
krbSubTrees realm attr contains a base DN where non-krb entries live the
load/krb5_ldap_put_principal() code will modify those entries whose
krbPrincipalName attr matches that of the dump princ record being loaded
otherwise a standalone krbprinc entry will be created under the realm
container.
If MIT/others think that "-x mixin" is not necessary and that the
behavior I describe above is okay for the default then I'll remove the
"-x mixin" support. Thoughts?
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list