[36783] in Kerberos
Re: Populating krbPrincipalName multivalued (Was: Re: LDAP searches
daemon@ATHENA.MIT.EDU (Greg Hudson)
Fri Feb 13 10:35:39 2015
Message-ID: <54DE19B1.90106@mit.edu>
Date: Fri, 13 Feb 2015 10:35:13 -0500
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Gergely Czuczy <gergely.czuczy@harmless.hu>, kerberos@mit.edu
In-Reply-To: <54DDB1BB.7090402@harmless.hu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 02/13/2015 03:11 AM, Gergely Czuczy wrote:
> 2) If i addprinc an alias principal pure, or addprinc -x linkedn=, then
> the principal is created under the realm's tree in ldap, and afterwards
> adding a the principal to the ldap entry in question who it belongs to
> will make the KDC seeing it multiple times, but the one at the object's
> entry will not work obivously, because it's just the krbPrincipalName,
> without the actual additional stuff being there.
I'm having trouble following this part. You should be able to create
principal entries with aliases as follows:
1. Create the principal under its canonical name with addprinc.
2. Add a krbCanonicalName attribute with the same value as the
krbPrincipalName value.
3. Add additional krbPrincipalName values.
> So, I understand it has to be managed manually, I just don't see how should be such principal aliases be created consistently and correctly. Could you please provide some words on this? Alas, I was not able to find this in the docs.
We need to improve our LDAP module documentation. Unfortunately there
is some non-trivial groundwork to be done with the schema first.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
