ldap principal aliases
Luke Howard
lukeh at padl.com
Sun Aug 30 04:14:40 EDT 2009
> This will create problems in the AS path, because the client library
> won't expect a different principal name. In the TGS path, I think Greg
> is right (but if you're going to disable to check, I'd do it in
> libkdb_ldap rather than the KDC).
In the TGS path, it's fine a backend to always return aliases
regardless of the setting of the canonicalize flag (after all, they
are indistinguishable to the service from genuine principals). IIRC
the DSfW backend does this.
-- Luke
More information about the Kerberos
mailing list