On Mon, Feb 15, 2010 at 10:59:36PM -0800, Murray S. Kucherawy <msk_at_blackops.org> wrote:
> On Mon, 15 Feb 2010, Mike Markley wrote:
> >>...and the query gets substituted into the "dn" and "filter" portion, and
> >>the listed "attr"s are returned.
> >
> >Okay, but how do the returned attributes get mapped into something
> >useful?
>
> The database you're using is defined such that it specifies what it
> expects back from whatever you put there.
>
> Two related examples might help illustrate this better: The KeyTable (and
> most other tables we currently have) is a table that expects to provide a
> sender (user_at_host or maybe just host) and get back the name of a key to
> use for signing. In that case, for LDAP, you would specify an LDAP URI
> naming a single attribute. The SigningTable is a table that expects to
> provide a key name and get back three things: a domain name, a selector
> name, and a private key. In that case your LDAP URI would name the three
> attributes your LDAP server uses to store those data, and responses would
> be cut apart and used accordingly.
Makes sense now. We may want to put together a "suggestion" for a schema
(perhaps using something invalid for the OIDs to force people to
substitute their own) to aid implementers; I should be able to tackle
that once I set up a testbed. I'll also propose some changes to the
manpage or to README to make this more obvious.
--
Mike Markley <mike_at_markley.org>
FORTUNE'S FUN FACTS TO KNOW AND TELL: #44
Zebras are colored with dark stripes on a light background.
Received on Tue Feb 16 2010 - 19:43:13 PST