[37193] in Kerberos
Best practices storing multiple principals with the same LDAP object
daemon@ATHENA.MIT.EDU (Cory Albrecht)
Fri Aug 21 01:11:14 2015
MIME-Version: 1.0
From: Cory Albrecht <cory@albrecht.name>
Date: Fri, 21 Aug 2015 04:35:15 +0000
Message-ID: <CAMW5rYL8M260PD2dH+tYOz_dhK2gEi78NE3AgV1QAtoaiA8rtA@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello,
I just recently redid my krb5 set up to use LDAP as backend (for less
hassle replication since the LDAP servers were already doing that) and I
was wondering what the best/easiest ways were to deal with cases where
multiple kerberos principals would be logically associated with a single
account/LDAP object.
I set up the subtree searches when I ran krb5_ldap_util, and I was able to
copy the relevant krb... attributes to my LDAP account and verified that
kinit, kadmin and such all still work as expected. I know about the -x
"dn=..." attribute for addprinc, etc...to use in kadmin to create the
principals in the proper part of the LDAP subtree (for me, ou=People,...)
rather than manually copying the attributes, though I have yet to do so.
I am a little confused, though as to how multiple principals can be store
with the same LDAP object, mostly for host principals like nfs/
server.example.com@EXAMPLE.COM or host/server.example.com@EXAMPLE.COM. Both
them would logically go with the uid=server,ou=Devices,cn=example,cn=com
object but not all of the krb... attributes can be multi-valued.
I assume that aliased principals would be similar?
If somebody could point me at an appropriate tutorial online, or otherwise
explain how this is best accomplished, i would appreciate it.
(I'm running krb5+openldap on an Ubuntu 15.04, but the machines on the
network are a hodge podge of OS X, Ubuntu, OpenBSD, FreeBSD in various
versions, and various Cisco and HP switches and routers, if that makes any
difference.)
Thanks in advance!
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
