Populating krbPrincipalName multivalued (Was: Re: LDAP searches for Kerberos entries)
Greg Hudson
ghudson at mit.edu
Fri Feb 13 10:35:13 EST 2015
On 02/13/2015 03:11 AM, Gergely Czuczy wrote:
> 2) If i addprinc an alias principal pure, or addprinc -x linkedn=, then
> the principal is created under the realm's tree in ldap, and afterwards
> adding a the principal to the ldap entry in question who it belongs to
> will make the KDC seeing it multiple times, but the one at the object's
> entry will not work obivously, because it's just the krbPrincipalName,
> without the actual additional stuff being there.
I'm having trouble following this part. You should be able to create
principal entries with aliases as follows:
1. Create the principal under its canonical name with addprinc.
2. Add a krbCanonicalName attribute with the same value as the
krbPrincipalName value.
3. Add additional krbPrincipalName values.
> So, I understand it has to be managed manually, I just don't see how should be such principal aliases be created consistently and correctly. Could you please provide some words on this? Alas, I was not able to find this in the docs.
We need to improve our LDAP module documentation. Unfortunately there
is some non-trivial groundwork to be done with the schema first.
More information about the Kerberos
mailing list