ldap principal aliases

Chris lists at deksai.com
Thu Sep 3 15:10:04 EDT 2009


On Sun, Aug 30, 2009 at 09:21:22AM +0200, Luke Howard wrote:
> >Yep, sure enough.  The version on wopr is pretty old.
> >
> >Are there any known scenarios where forcing canonicalization on
> >the KDC
> >would be bad?  I was thinking about just removing the check for that
> >flag from our KDCs, since there are quite a few servers that have the
> >old libraries.
> 
> 
> This will create problems in the AS path, because the client library
> won't expect a different principal name. In the TGS path, I think
> Greg is right (but if you're going to disable to check, I'd do it in
> libkdb_ldap rather than the KDC).
> 
> -- Luke

Thank you both for the input (and the patch).  I apologize, I was out on
vacation for several days, so I didn't mean to ignore you!

I see that the patch made it into svn.  I will apply it here, and let
you know if I run into any problems.


Chris








More information about the Kerberos mailing list