Populating krbPrincipalName multivalued (Was: Re: LDAP searches for Kerberos entries)
Chris Hecker
checker at d6.com
Thu Feb 12 07:08:02 EST 2015
Yes, this piqued my interest as well...
Chris
On Feb 12, 2015 12:30 AM, "Gergely Czuczy" <gergely.czuczy at harmless.hu>
wrote:
>
> On 2015-02-11 15:25, Simo Sorce wrote:
> > On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
> >> HI!
> >>
> >> Maybe some of you are using MIT Kerberos with LDAP backend.
> >>
> >> For creating a decent web2ldap search form template for the Kerberos
> schema
> >> I'd like to know which kind of searches you usually do when looking
> into your
> >> backend via LDAP.
> >>
> >> Which attributes are you usually using in the search?
> >> Which filters do you hack on command-line?
> >>
> >> Well, 'krbPrincipalName' will of course be the most used search
> attribute. The
> >> default equality matching rule is caseExactIA5Match, so for convenience
> I'd
> >> add something to use caseIgnoreIA5Match without the user having to
> select that
> >> himself.
> > You should also search on KrbCanonicalName if you need exact matching,
> > krbPrincipalName is multivalued and may contain aliases.
> A bit off the topic, but please allow me a question here. I've noticed
> that addprinc -x dn= only allows a single principal per entry, and -x
> linkdn= does not put the krbPrincipalName into the specified entry. With
> utilizing the LDAP backend, what would be the way to make use of the
> krbPrincipalName's multivalued nature, and have it populated at the ldap
> entry's values?
> >
> > Simo.
> >
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
More information about the Kerberos
mailing list