afs pts schema?

Leif Johansson leifj@it.su.se
Thu, 15 Mar 2001 09:01:09 +0100


> Marcus Watts <mdw@umich.edu> writes:
> 
> > 	Openldap tracks groups in groups by DN, so changing names
> > 		is *real* painful.
> 
> The standard solution to this problem for any sort of directory-like
> system is to just not use the user-visible name as a DN.  In general,
> that's a good idea for a whole bunch of reasons; the properties that users
> want in names quite frequently conflict with the properties of a system
> unique identifier.
> 
> We use machine-generated unique IDs for DNs in our directory of people.
> PTS already does something similar by using negative numbers for group
> identifiers.
> 
> LDAP is good at being able to search and retrieve by things that aren't
> the unique identifiers.

Yes, in fact there is some work in the ietf and other places now to
write schema for a KDC which will probably be the way the unique id
for a user (i.e something like kdcPrincipal) is done.

	Cheers Leif