Best practices storing multiple principals with the same LDAP object

Greg Hudson ghudson at mit.edu
Sat Aug 22 13:35:47 EDT 2015


On 08/22/2015 11:34 AM, Cory Albrecht wrote:
> Let me see if I understand.
> 
> I've already created the principal for my account with:
> 
> addprinc -x dn=uid=cory,ou=People,dc=cory,dc=albrecht,dc=name cory
> 
> So now to that dn I need to add the krbCanonicalName attribute. When I
> create a new principal, say "cory/root", I can just manually add another
> krbPrincipalName attribute with it to the dn=uid=cory,... object? And
> something similar for the machine principals?

You have the procedure right.  However, this procedure creates multiple
names for the same principal entry.  You cannot have different principal
entries with different keys on the same LDAP object.  For that, you can
create standalone principal objects pointing to LDAP objects with -x
linkdn=... as suggested by Luca Rea.  These links do not affect the
behavior of the LDAP KDB module, but you can use the resulting
krbObjectReferences attribute in LDAP searches.


More information about the Kerberos mailing list