LDAP searches for Kerberos entries
Simo Sorce
simo at redhat.com
Thu Feb 12 08:56:18 EST 2015
On Wed, 2015-02-11 at 16:24 +0100, Michael Ströder wrote:
> Simo Sorce wrote:
> > On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
> >> HI!
> >>
> >> Maybe some of you are using MIT Kerberos with LDAP backend.
> >>
> >> For creating a decent web2ldap search form template for the Kerberos schema
> >> I'd like to know which kind of searches you usually do when looking into your
> >> backend via LDAP.
> >>
> >> Which attributes are you usually using in the search?
> >> Which filters do you hack on command-line?
> >>
> >> Well, 'krbPrincipalName' will of course be the most used search attribute. The
> >> default equality matching rule is caseExactIA5Match, so for convenience I'd
> >> add something to use caseIgnoreIA5Match without the user having to select that
> >> himself.
> >
> > You should also search on KrbCanonicalName if you need exact matching,
> > krbPrincipalName is multivalued and may contain aliases.
>
> Thanks, added it.
>
> What about 'krbPrincipalAliases'? Is that actually used?
Not as common, but if you are interested in aliases you should probably
look it up as well. I forgot if the MIT's LDAP driver actually uses it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list