[36788] in Kerberos
Re: Populating krbPrincipalName multivalued (Was: Re: LDAP searches
daemon@ATHENA.MIT.EDU (Gergely Czuczy)
Sat Feb 14 02:20:23 2015
Message-ID: <54DEF721.3040506@harmless.hu>
Date: Sat, 14 Feb 2015 08:20:01 +0100
From: Gergely Czuczy <gergely.czuczy@harmless.hu>
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>, kerberos@mit.edu
In-Reply-To: <54DE3889.9030904@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 13/02/2015 18:46, Greg Hudson wrote:
> On 02/13/2015 11:52 AM, Gergely Czuczy wrote:
>> So, this means, when adding an alias, addition work is not needed, just
>> another value for krbPrincipalName?
>> I had the impression that some additional stuff needs to be stored along
>> with the alias, like, i don't know, keys, or whatever stuff. This part
>> wasn't clear from the docs.
> The point of an alias is that it refers to the same principal entry,
> including keys.
>
> You do need to add a krbCanonicalName attribute so that the KDC knows
> which principal name is the canonical name.
So, actually there's a difference between an alias, and the -x linkdn=
option?
The alias is technically the very same principal, and addprinc -x
linkdn= is a new principal, linked to an already existing entry in LDAP?
Is there a chance to add a couple of words on this here:
http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_ldap.html
Also, adding the ticket renewable lifetime setting to the setup steps
would be helpful here, it's missing from that section.
Thank you very much for sharing this, it makes sense now.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
