[36857] in Kerberos
RE: Concealing user principal names for realm crossover
daemon@ATHENA.MIT.EDU (Nordgren, Bryce L -FS)
Wed Mar 18 14:00:00 2015
From: "Nordgren, Bryce L -FS" <bnordgren@fs.fed.us>
To: Nico Williams <nico@cryptonector.com>,
Rick van Rein <rick@openfortress.nl>
Date: Wed, 18 Mar 2015 17:13:41 +0000
Message-ID: <82E7C9A01FD0764CACDD35D10F5DFB6E7B2D2E@001FSN2MPN1-046.001f.mgd2.msft.net>
In-Reply-To: <CAK3OfOjajZ5JA9XHTXStFSoUNOjAhyqY4juwqKyjPNtARt0khw@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
Cc: "<kerberos@mit.edu>" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> RedHat's FreeIPA may provide some similar functionality, but I'm not familiar
> with it. Ditto Samba.
If I'm not mistaken, FreeIPA 4.1+ should have the ability to overwrite or add user attributes locally (including "username", uidNumber, group membership). However, it can only do trusts with AD. The big advantage to overriding attributes locally is that it paves the way for trusts with plain Kerberos realms which aren't exporting any user attributes.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
