[37200] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Best practices storing multiple principals with the same LDAP

daemon@ATHENA.MIT.EDU (Greg Hudson)
Sat Aug 22 13:36:08 2015

Message-ID: <55D8B2F3.8020308@mit.edu>
Date: Sat, 22 Aug 2015 13:35:47 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: cory@albrecht.name
In-Reply-To: <CAMW5rYL5Zb-Pmvt7dQgOTJ0wFRA2KUqLE8NyrKd4TpfAAVtjcQ@mail.gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

On 08/22/2015 11:34 AM, Cory Albrecht wrote:
> Let me see if I understand.
> 
> I've already created the principal for my account with:
> 
> addprinc -x dn=uid=cory,ou=People,dc=cory,dc=albrecht,dc=name cory
> 
> So now to that dn I need to add the krbCanonicalName attribute. When I
> create a new principal, say "cory/root", I can just manually add another
> krbPrincipalName attribute with it to the dn=uid=cory,... object? And
> something similar for the machine principals?

You have the procedure right.  However, this procedure creates multiple
names for the same principal entry.  You cannot have different principal
entries with different keys on the same LDAP object.  For that, you can
create standalone principal objects pointing to LDAP objects with -x
linkdn=... as suggested by Luca Rea.  These links do not affect the
behavior of the LDAP KDB module, but you can use the resulting
krbObjectReferences attribute in LDAP searches.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post