Populating krbPrincipalName multivalued (Was: Re: LDAP searches for Kerberos entries)
Michael Ströder
michael at stroeder.com
Thu Feb 12 11:57:17 EST 2015
Simo Sorce wrote:
> On Thu, 2015-02-12 at 09:28 +0100, Gergely Czuczy wrote:
>> On 2015-02-11 15:25, Simo Sorce wrote:
>>> You should also search on KrbCanonicalName if you need exact matching,
>>> krbPrincipalName is multivalued and may contain aliases.
>>
>> A bit off the topic, but please allow me a question here. I've noticed
>> that addprinc -x dn= only allows a single principal per entry, and -x
>> linkdn= does not put the krbPrincipalName into the specified entry. With
>> utilizing the LDAP backend, what would be the way to make use of the
>> krbPrincipalName's multivalued nature, and have it populated at the ldap
>> entry's values?
>
> Well, LDAP support in kadmin is not really "complete". I use this stuff
> mostly in FreeIPA where we have a different DAL driver and custom tools
> to manipulate the DIT.
In FreeIPA's schema I see krbPrincipalAliases and ipaKrbPrincipalAlias. What's
the difference?
Ciao, Michael.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4252 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150212/ce8e50b4/attachment-0001.bin
More information about the Kerberos
mailing list