Populating krbPrincipalName multivalued (Was: Re: LDAP searches for Kerberos entries)

[Gergely Czuczy]

On 2015-02-12 17:38, Greg Hudson wrote:
> On 02/12/2015 03:28 AM, Gergely Czuczy wrote:
>> A bit off the topic, but please allow me a question here. I've noticed
>> that addprinc -x dn= only allows a single principal per entry, and -x
>> linkdn= does not put the krbPrincipalName into the specified entry. With
>> utilizing the LDAP backend, what would be the way to make use of the
>> krbPrincipalName's multivalued nature, and have it populated at the ldap
>> entry's values?
> We don't have kadmin support for principal aliases, only LDAP KDB module
> support.  You have to manage the krbPrincipalName and krbCanonicalName
> attributes directly via LDAP in order to create aliases.
>
Could you please provide more details on this please? I understand 
manually managing the attribute, but:
1) purely adding another value to krbPrincipalName in ldap does not 
create actually a principal, and once a principal exists in a managed 
subtree, it's not possible to add it using kadmin, because the value 
already exists.
2) If i addprinc an alias principal pure, or addprinc -x linkedn=, then 
the principal is created under the realm's tree in ldap, and afterwards 
adding a the principal to the ldap entry in question who it belongs to 
will make the KDC seeing it multiple times, but the one at the object's 
entry will not work obivously, because it's just the krbPrincipalName, 
without the actual additional stuff being there.

So, I understand it has to be managed manually, I just don't see how 
should be such principal aliases be created consistently and correctly. 
Could you please provide some words on this? Alas, I was not able to 
find this in the docs.