Populating krbPrincipalName multivalued (Was: Re: LDAP searches for Kerberos entries)

Gergely Czuczy gergely.czuczy at harmless.hu
Fri Feb 13 11:52:51 EST 2015


On 2015-02-13 16:35, Greg Hudson wrote:
> On 02/13/2015 03:11 AM, Gergely Czuczy wrote:
>> 2) If i addprinc an alias principal pure, or addprinc -x linkedn=, then
>> the principal is created under the realm's tree in ldap, and afterwards
>> adding a the principal to the ldap entry in question who it belongs to
>> will make the KDC seeing it multiple times, but the one at the object's
>> entry will not work obivously, because it's just the krbPrincipalName,
>> without the actual additional stuff being there.
> I'm having trouble following this part.  You should be able to create
> principal entries with aliases as follows:
>
> 1. Create the principal under its canonical name with addprinc.
> 2. Add a krbCanonicalName attribute with the same value as the
> krbPrincipalName value.
> 3. Add additional krbPrincipalName values.
>
>> So, I understand it has to be managed manually, I just don't see how should be such principal aliases be created consistently and correctly. Could you please provide some words on this? Alas, I was not able to find this in the docs.
> We need to improve our LDAP module documentation.  Unfortunately there
> is some non-trivial groundwork to be done with the schema first.
So, this means, when adding an alias, addition work is not needed, just 
another value for krbPrincipalName?
I had the impression that some additional stuff needs to be stored along 
with the alias, like, i don't know, keys, or whatever stuff. This part 
wasn't clear from the docs.

And I agree, it would be awesome if the docs covered it. Like, an 
example would be useful that showed how to add an alias, then kinit with it.

Thanks for the help so far.


More information about the Kerberos mailing list