ldap principal aliases

Luke Howard lukeh at padl.com
Sun Aug 30 04:14:40 EDT 2009


> This will create problems in the AS path, because the client library
> won't expect a different principal name. In the TGS path, I think Greg
> is right (but if you're going to disable to check, I'd do it in
> libkdb_ldap rather than the KDC).

In the TGS path, it's fine a backend to always return aliases  
regardless of the setting of the canonicalize flag (after all, they  
are indistinguishable to the service from genuine principals). IIRC  
the DSfW backend does this.

-- Luke



More information about the Kerberos mailing list