Populating krbPrincipalName multivalued (Was: Re: LDAP searches for Kerberos entries)

Michael Ströder michael at stroeder.com
Fri Feb 13 12:55:11 EST 2015


Greg Hudson wrote:
> On 02/13/2015 11:52 AM, Gergely Czuczy wrote:
>> So, this means, when adding an alias, addition work is not needed, just
>> another value for krbPrincipalName?
>> I had the impression that some additional stuff needs to be stored along
>> with the alias, like, i don't know, keys, or whatever stuff. This part
>> wasn't clear from the docs.
> 
> The point of an alias is that it refers to the same principal entry,
> including keys.
> 
> You do need to add a krbCanonicalName attribute so that the KDC knows
> which principal name is the canonical name.

So the alias name is not cryptographically bound to the principal's key?

Ciao, Michael.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4252 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20150213/2f6e0c81/attachment.bin


More information about the Kerberos mailing list