LDAP searches for Kerberos entries

Michael Ströder michael at stroeder.com
Wed Feb 11 10:24:09 EST 2015


Simo Sorce wrote:
> On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
>> HI!
>>
>> Maybe some of you are using MIT Kerberos with LDAP backend.
>>
>> For creating a decent web2ldap search form template for the Kerberos schema
>> I'd like to know which kind of searches you usually do when looking into your
>> backend via LDAP.
>>
>> Which attributes are you usually using in the search?
>> Which filters do you hack on command-line?
>>
>> Well, 'krbPrincipalName' will of course be the most used search attribute. The
>> default equality matching rule is caseExactIA5Match, so for convenience I'd
>> add something to use caseIgnoreIA5Match without the user having to select that
>> himself.
> 
> You should also search on KrbCanonicalName if you need exact matching,
> krbPrincipalName is multivalued and may contain aliases.

Thanks, added it.

What about 'krbPrincipalAliases'? Is that actually used?

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4252 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150211/761f9879/attachment.bin


More information about the Kerberos mailing list