Populating krbPrincipalName multivalued (Was: Re: LDAP searches for Kerberos entries)
Simo Sorce
simo at redhat.com
Thu Feb 12 08:58:02 EST 2015
On Thu, 2015-02-12 at 09:28 +0100, Gergely Czuczy wrote:
> On 2015-02-11 15:25, Simo Sorce wrote:
> > On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
> >> HI!
> >>
> >> Maybe some of you are using MIT Kerberos with LDAP backend.
> >>
> >> For creating a decent web2ldap search form template for the Kerberos schema
> >> I'd like to know which kind of searches you usually do when looking into your
> >> backend via LDAP.
> >>
> >> Which attributes are you usually using in the search?
> >> Which filters do you hack on command-line?
> >>
> >> Well, 'krbPrincipalName' will of course be the most used search attribute. The
> >> default equality matching rule is caseExactIA5Match, so for convenience I'd
> >> add something to use caseIgnoreIA5Match without the user having to select that
> >> himself.
> > You should also search on KrbCanonicalName if you need exact matching,
> > krbPrincipalName is multivalued and may contain aliases.
> A bit off the topic, but please allow me a question here. I've noticed
> that addprinc -x dn= only allows a single principal per entry, and -x
> linkdn= does not put the krbPrincipalName into the specified entry. With
> utilizing the LDAP backend, what would be the way to make use of the
> krbPrincipalName's multivalued nature, and have it populated at the ldap
> entry's values?
Well, LDAP support in kadmin is not really "complete". I use this stuff
mostly in FreeIPA where we have a different DAL driver and custom tools
to manipulate the DIT.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list