[37198] in Kerberos
Re: Best practices storing multiple principals with the same LDAP
daemon@ATHENA.MIT.EDU (Cory Albrecht)
Sat Aug 22 13:25:08 2015
MIME-Version: 1.0
In-Reply-To: <55D7F150.8000009@mit.edu>
Date: Sat, 22 Aug 2015 11:34:19 -0400
Message-ID: <CAMW5rYL5Zb-Pmvt7dQgOTJ0wFRA2KUqLE8NyrKd4TpfAAVtjcQ@mail.gmail.com>
From: Cory Albrecht <cory@albrecht.name>
To: Greg Hudson <ghudson@mit.edu>
Cc: kerberos@mit.edu
Reply-To: cory@albrecht.name
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Let me see if I understand.
I've already created the principal for my account with:
addprinc -x dn=uid=cory,ou=People,dc=cory,dc=albrecht,dc=name cory
So now to that dn I need to add the krbCanonicalName attribute. When I
create a new principal, say "cory/root", I can just manually add another
krbPrincipalName attribute with it to the dn=uid=cory,... object? And
something similar for the machine principals?
On Fri, Aug 21, 2015 at 11:49 PM, Greg Hudson <ghudson@mit.edu> wrote:
> On 08/21/2015 12:35 AM, Cory Albrecht wrote:
> > I just recently redid my krb5 set up to use LDAP as backend (for less
> > hassle replication since the LDAP servers were already doing that) and I
> > was wondering what the best/easiest ways were to deal with cases where
> > multiple kerberos principals would be logically associated with a single
> > account/LDAP object.
>
> We have support for this in the LDAP KDB module, but not in the
> administrative tools, and it isn't documented. After creating the
> principal with the canonical name, you need to add a krbCanonicalName
> attribute for the canonical name (with the same value as the already
> existing krbPrincipalName attribute), and then add additional
> krbPrincipalName attributes.
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
