[36784] in Kerberos
Re: Populating krbPrincipalName multivalued (Was: Re: LDAP searches
daemon@ATHENA.MIT.EDU (Gergely Czuczy)
Fri Feb 13 11:53:04 2015
Message-ID: <54DE2BE3.4010306@harmless.hu>
Date: Fri, 13 Feb 2015 17:52:51 +0100
From: Gergely Czuczy <gergely.czuczy@harmless.hu>
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>, kerberos@mit.edu
In-Reply-To: <54DE19B1.90106@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 2015-02-13 16:35, Greg Hudson wrote:
> On 02/13/2015 03:11 AM, Gergely Czuczy wrote:
>> 2) If i addprinc an alias principal pure, or addprinc -x linkedn=, then
>> the principal is created under the realm's tree in ldap, and afterwards
>> adding a the principal to the ldap entry in question who it belongs to
>> will make the KDC seeing it multiple times, but the one at the object's
>> entry will not work obivously, because it's just the krbPrincipalName,
>> without the actual additional stuff being there.
> I'm having trouble following this part. You should be able to create
> principal entries with aliases as follows:
>
> 1. Create the principal under its canonical name with addprinc.
> 2. Add a krbCanonicalName attribute with the same value as the
> krbPrincipalName value.
> 3. Add additional krbPrincipalName values.
>
>> So, I understand it has to be managed manually, I just don't see how should be such principal aliases be created consistently and correctly. Could you please provide some words on this? Alas, I was not able to find this in the docs.
> We need to improve our LDAP module documentation. Unfortunately there
> is some non-trivial groundwork to be done with the schema first.
So, this means, when adding an alias, addition work is not needed, just
another value for krbPrincipalName?
I had the impression that some additional stuff needs to be stored along
with the alias, like, i don't know, keys, or whatever stuff. This part
wasn't clear from the docs.
And I agree, it would be awesome if the docs covered it. Like, an
example would be useful that showed how to add an alias, then kinit with it.
Thanks for the help so far.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
