mapping principal name to local unix account name
Roland C. Dowdeswell
elric at imrryr.org
Tue Dec 18 09:01:08 EST 2012
On Mon, Dec 17, 2012 at 05:20:23PM -0800, Jim Shi wrote:
>
> Hi, I checked the KDC source code, it seems to have code to
> support database-based mapping of principal names to unix account
> names.
> But I can not any document to configure KDC to use it. Where
> can I find the information? Can someone please tell me how to
> configure KDC to use database mapping as well as to setup the
> mapping database?
If you are talking about the ANAME_DB logic, that's in the client
libraries not the KDCs. There was a discussion about it a while ago
http://mailman.mit.edu/pipermail/krbdev/2010-September/009417.html
I don't think that the patch proposed was integrated but I may have
missed it.
In the current development sources, Heimdal has plugin architecture
for both krb5_aname_to_lname() and krb5_kuserok() which can consult
databased, though, if that is an option. You can use CDB for
krb5_aname_to_lname() by using the following plugin:
https://github.com/elric1/h5l_an2ln_cdb
This will provide a simple mapping from authenticated names (i.e.
Kerberos principals) to local names (i.e. UNIX accounts).
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
More information about the Kerberos
mailing list