ldap principal aliases
Chris
lists at deksai.com
Thu Sep 3 15:10:04 EDT 2009
On Sun, Aug 30, 2009 at 09:21:22AM +0200, Luke Howard wrote:
> >Yep, sure enough. The version on wopr is pretty old.
> >
> >Are there any known scenarios where forcing canonicalization on
> >the KDC
> >would be bad? I was thinking about just removing the check for that
> >flag from our KDCs, since there are quite a few servers that have the
> >old libraries.
>
>
> This will create problems in the AS path, because the client library
> won't expect a different principal name. In the TGS path, I think
> Greg is right (but if you're going to disable to check, I'd do it in
> libkdb_ldap rather than the KDC).
>
> -- Luke
Thank you both for the input (and the patch). I apologize, I was out on
vacation for several days, so I didn't mean to ignore you!
I see that the patch made it into svn. I will apply it here, and let
you know if I run into any problems.
Chris
More information about the Kerberos
mailing list