Populating krbPrincipalName multivalued (Was: Re: LDAP searches for Kerberos entries)
Gergely Czuczy
gergely.czuczy at harmless.hu
Thu Feb 12 03:28:24 EST 2015
On 2015-02-11 15:25, Simo Sorce wrote:
> On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
>> HI!
>>
>> Maybe some of you are using MIT Kerberos with LDAP backend.
>>
>> For creating a decent web2ldap search form template for the Kerberos schema
>> I'd like to know which kind of searches you usually do when looking into your
>> backend via LDAP.
>>
>> Which attributes are you usually using in the search?
>> Which filters do you hack on command-line?
>>
>> Well, 'krbPrincipalName' will of course be the most used search attribute. The
>> default equality matching rule is caseExactIA5Match, so for convenience I'd
>> add something to use caseIgnoreIA5Match without the user having to select that
>> himself.
> You should also search on KrbCanonicalName if you need exact matching,
> krbPrincipalName is multivalued and may contain aliases.
A bit off the topic, but please allow me a question here. I've noticed
that addprinc -x dn= only allows a single principal per entry, and -x
linkdn= does not put the krbPrincipalName into the specified entry. With
utilizing the LDAP backend, what would be the way to make use of the
krbPrincipalName's multivalued nature, and have it populated at the ldap
entry's values?
>
> Simo.
>
More information about the Kerberos
mailing list