Best practices storing multiple principals with the same LDAP object

Cory Albrecht cory at albrecht.name
Fri Aug 21 00:35:15 EDT 2015


Hello,

I just recently redid my krb5 set up to use LDAP as backend (for less
hassle replication since the LDAP servers were already doing that) and I
was wondering what the best/easiest ways were to deal with cases where
multiple kerberos principals would be logically associated with a single
account/LDAP object.

I set up the subtree searches when I ran krb5_ldap_util, and I was able to
copy the relevant krb... attributes to my LDAP account and verified that
kinit, kadmin and such all still work as expected. I know about the -x
"dn=..." attribute for addprinc, etc...to use in kadmin to create the
principals in the proper part of the LDAP subtree (for me, ou=People,...)
rather than manually copying the attributes, though I have yet to do so.

I am a little confused, though as to how multiple principals can be store
with the same LDAP object, mostly for host principals like nfs/
server.example.com at EXAMPLE.COM or host/server.example.com at EXAMPLE.COM. Both
them would logically go with the uid=server,ou=Devices,cn=example,cn=com
object but not all of the krb... attributes can be multi-valued.

I assume that aliased principals would be similar?

If somebody could point me at an appropriate tutorial online, or otherwise
explain how this is best accomplished, i would appreciate it.

(I'm running krb5+openldap on an Ubuntu 15.04, but the machines on the
network are a hodge podge of OS X, Ubuntu, OpenBSD, FreeBSD in various
versions, and various Cisco and HP switches and routers, if that makes any
difference.)

Thanks in advance!


More information about the Kerberos mailing list