Populating krbPrincipalName multivalued (Was: Re: LDAP searches for Kerberos entries)

Greg Hudson ghudson at mit.edu
Fri Feb 13 10:35:13 EST 2015


On 02/13/2015 03:11 AM, Gergely Czuczy wrote:
> 2) If i addprinc an alias principal pure, or addprinc -x linkedn=, then
> the principal is created under the realm's tree in ldap, and afterwards
> adding a the principal to the ldap entry in question who it belongs to
> will make the KDC seeing it multiple times, but the one at the object's
> entry will not work obivously, because it's just the krbPrincipalName,
> without the actual additional stuff being there.

I'm having trouble following this part.  You should be able to create
principal entries with aliases as follows:

1. Create the principal under its canonical name with addprinc.
2. Add a krbCanonicalName attribute with the same value as the
krbPrincipalName value.
3. Add additional krbPrincipalName values.

> So, I understand it has to be managed manually, I just don't see how should be such principal aliases be created consistently and correctly. Could you please provide some words on this? Alas, I was not able to find this in the docs. 

We need to improve our LDAP module documentation.  Unfortunately there
is some non-trivial groundwork to be done with the schema first.


More information about the Kerberos mailing list