Best practices storing multiple principals with the same LDAP object
Greg Hudson
ghudson at mit.edu
Fri Aug 21 23:49:36 EDT 2015
On 08/21/2015 12:35 AM, Cory Albrecht wrote:
> I just recently redid my krb5 set up to use LDAP as backend (for less
> hassle replication since the LDAP servers were already doing that) and I
> was wondering what the best/easiest ways were to deal with cases where
> multiple kerberos principals would be logically associated with a single
> account/LDAP object.
We have support for this in the LDAP KDB module, but not in the
administrative tools, and it isn't documented. After creating the
principal with the canonical name, you need to add a krbCanonicalName
attribute for the canonical name (with the same value as the already
existing krbPrincipalName attribute), and then add additional
krbPrincipalName attributes.
More information about the Kerberos
mailing list