ldap principal aliases
Luke Howard
lukeh at padl.com
Sun Aug 30 03:21:22 EDT 2009
> Yep, sure enough. The version on wopr is pretty old.
>
> Are there any known scenarios where forcing canonicalization on the
> KDC
> would be bad? I was thinking about just removing the check for that
> flag from our KDCs, since there are quite a few servers that have the
> old libraries.
This will create problems in the AS path, because the client library
won't expect a different principal name. In the TGS path, I think Greg
is right (but if you're going to disable to check, I'd do it in
libkdb_ldap rather than the KDC).
-- Luke
More information about the Kerberos
mailing list