svn rev #22224: branches/krb5-1-7/doc/

tlyu@MIT.EDU tlyu at MIT.EDU
Tue Apr 14 17:07:31 EDT 2009 

http://src.mit.edu/fisheye/changelog/krb5/?cs=22224
Commit By: tlyu
Log Message:
ticket: 6419
version_fixed: 1.7

pull up r22089 from trunk

 ------------------------------------------------------------------------
 r22089 | ghudson | 2009-03-15 00:15:16 -0400 (Sun, 15 Mar 2009) | 9 lines
 Changed paths:
    M /trunk/doc/admin.texinfo

 ticket: 6419
 subject: Document alias support in LDAP back end
 tags: pullup
 target_version: 1.7

 Add a few paragraphs to the LDAP instructions on creating aliases
 through direct manipulation of the LDAP data, and briefly explain when
 aliases will be used.


Changed Files:
U   branches/krb5-1-7/doc/admin.texinfo
Modified: branches/krb5-1-7/doc/admin.texinfo
===================================================================
--- branches/krb5-1-7/doc/admin.texinfo	2009-04-14 21:07:28 UTC (rev 22223)
+++ branches/krb5-1-7/doc/admin.texinfo	2009-04-14 21:07:31 UTC (rev 22224)
@@ -4039,6 +4039,26 @@
 Add krb5principalname to the indexes in slapd.conf to speed up the access.
 @end enumerate
 
+With the LDAP back end it is possible to provide aliases for principal
+entries.  Currently we provide no mechanism provided for creating
+aliases, so it must be done by direct manipulation of the LDAP
+entries.
+
+An entry with aliases contains multiple values of the krbPrincipalName
+attribute.  Since LDAP attribute values are not ordered, it is
+necessary to specify which principal name is canonical, by using the
+krbCanonicalName attribute.  Therefore, to create aliases for an
+entry, first set the krbCanonicalName attribute of the entry to the
+canonical principal name (which should be identical to the
+pre-existing krbPrincipalName value), and then add additional
+krbPrincipalName attributes for the aliases.
+
+Principal aliases are only returned by the KDC when the client
+requests canonicalization.  Canonicalization is normally requested for
+service principals; for client principals, an explicit flag is often
+required (e.g. @code{kinit -C}) and canonicalization is only performed
+for initial ticket requests.
+
 @node Application Servers, Backups of Secure Hosts, Configuring Kerberos with OpenLDAP back-end, Top
 @chapter Application Servers

More information about the cvs-krb5 mailing list