[36779] in Kerberos
Re: Populating krbPrincipalName multivalued (Was: Re: LDAP searches
daemon@ATHENA.MIT.EDU (Simo Sorce)
Thu Feb 12 12:01:53 2015
Message-ID: <1423760486.5770.44.camel@willson.usersys.redhat.com>
From: Simo Sorce <simo@redhat.com>
To: Michael =?ISO-8859-1?Q?Str=F6der?= <michael@stroeder.com>
Date: Thu, 12 Feb 2015 12:01:26 -0500
In-Reply-To: <54DCDB6D.5040608@stroeder.com>
Mime-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Thu, 2015-02-12 at 17:57 +0100, Michael Ströder wrote:
> Simo Sorce wrote:
> > On Thu, 2015-02-12 at 09:28 +0100, Gergely Czuczy wrote:
> >> On 2015-02-11 15:25, Simo Sorce wrote:
> >>> You should also search on KrbCanonicalName if you need exact matching,
> >>> krbPrincipalName is multivalued and may contain aliases.
> >>
> >> A bit off the topic, but please allow me a question here. I've noticed
> >> that addprinc -x dn= only allows a single principal per entry, and -x
> >> linkdn= does not put the krbPrincipalName into the specified entry. With
> >> utilizing the LDAP backend, what would be the way to make use of the
> >> krbPrincipalName's multivalued nature, and have it populated at the ldap
> >> entry's values?
> >
> > Well, LDAP support in kadmin is not really "complete". I use this stuff
> > mostly in FreeIPA where we have a different DAL driver and custom tools
> > to manipulate the DIT.
>
> In FreeIPA's schema I see krbPrincipalAliases and ipaKrbPrincipalAlias. What's
> the difference?
ipaKrbPrincipalAlias is a mistake we want to correct :-/
Simo.
--
Simo Sorce * Red Hat, Inc * New York
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
