Constructing User DN using principal name
Douglas E. Engert
deengert at anl.gov
Mon Apr 15 11:09:06 EDT 2013
On 4/14/2013 7:31 AM, diptivs at gmail.com wrote:
> Our application needs to construct User DN after successful authentication
> for authorization.Currently what application has is user principal name.
>
> User principal name is of format: Userame at RealmName And user DN is of the
> form
> cn=<Username>,cn=Users,cn=<DomainName>,cn=com
Unless the LDAP database is used by the KDC, you will have problems.
Are referring to "DomainName" as in Windows Active directory?
If so you can do an LDAP query of AD for userPrincipalName
BUT if you are using smartcards issued by outside CAs
the userPprincipalName may not match. (MS overloaded the
userPrincipalName definition.) AD Kerberos will map
to an account mapping usernam at realm to userPrincipalName or
sAMAccontName at domain.
If the application LDAP database is not one of the above, you may
need to add a userPrincipalName attribute to itso you can do the mapping.
>
> As Realm need not be always same as Domain name: How to get this
> <DomainName> using the Realm in the user name?
> Any suggestions to solve this problem would be of help.
>
> Currently we are using MIT libraries v1.5.3. Soon we will upgrade to latest.
>
> Thanks,
> Dipti
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list