Constructing User DN using principal name

diptivs@gmail.com diptivs at gmail.com
Mon Apr 15 21:26:23 EDT 2013 

Thanks Douglas.

The support is mainly for active directory and MIT KDC.

I was looking for some Kerberos API which can get me the domain name with
realm-domainName mapping. Actually DomainName is required at Authorization
directory to construct a search filter and it is not recommended to do a
bind from this server with AD/MIT_KDC just to retrieve domain name.

Please let me know if you have any more suggestions. Thanks.



On Mon, Apr 15, 2013 at 8:39 PM, Douglas E. Engert <deengert at anl.gov> wrote:

>
>
> On 4/14/2013 7:31 AM, diptivs at gmail.com wrote:
> > Our application needs to construct User DN after successful
> authentication
> > for authorization.Currently what application has is user principal name.
> >
> > User principal name is of format: Userame at RealmName And user DN is of
> the
> > form
> > cn=<Username>,cn=Users,cn=<DomainName>,cn=com
>
> Unless the LDAP database is used by the KDC, you will have problems.
>
> Are referring to "DomainName" as in Windows Active directory?
> If so you can do an LDAP query of AD for userPrincipalName
> BUT if you are using smartcards issued by outside CAs
> the userPprincipalName  may not match. (MS overloaded the
> userPrincipalName definition.) AD Kerberos will map
> to an account  mapping usernam at realm to userPrincipalName or
> sAMAccontName at domain.
>
> If the application LDAP database is not one of the above, you may
> need to add a userPrincipalName attribute to itso you can do the mapping.
>
>
> >
> > As Realm need not be always same as Domain name: How to get this
> > <DomainName> using the Realm in the user name?
> > Any suggestions to solve this problem would be of help.
> >
> > Currently we are using MIT libraries v1.5.3. Soon we will upgrade to
> latest.
> >
> > Thanks,
> > Dipti
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
> --
>
>   Douglas E. Engert  <DEEngert at anl.gov>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Have a nice day!
Regards,
Dipti
http://in.linkedin.com/in/diptivs

More information about the Kerberos mailing list