Best practices storing multiple principals with the same LDAP object

Cory Albrecht cory at albrecht.name
Sat Aug 22 11:34:19 EDT 2015


Let me see if I understand.

I've already created the principal for my account with:

addprinc -x dn=uid=cory,ou=People,dc=cory,dc=albrecht,dc=name cory

So now to that dn I need to add the krbCanonicalName attribute. When I
create a new principal, say "cory/root", I can just manually add another
krbPrincipalName attribute with it to the dn=uid=cory,... object? And
something similar for the machine principals?

On Fri, Aug 21, 2015 at 11:49 PM, Greg Hudson <ghudson at mit.edu> wrote:

> On 08/21/2015 12:35 AM, Cory Albrecht wrote:
> > I just recently redid my krb5 set up to use LDAP as backend (for less
> > hassle replication since the LDAP servers were already doing that) and I
> > was wondering what the best/easiest ways were to deal with cases where
> > multiple kerberos principals would be logically associated with a single
> > account/LDAP object.
>
> We have support for this in the LDAP KDB module, but not in the
> administrative tools, and it isn't documented.  After creating the
> principal with the canonical name, you need to add a krbCanonicalName
> attribute for the canonical name (with the same value as the already
> existing krbPrincipalName attribute), and then add additional
> krbPrincipalName attributes.
>


More information about the Kerberos mailing list