Populating krbPrincipalName multivalued (Was: Re: LDAP searches for Kerberos entries)
Gergely Czuczy
gergely.czuczy at harmless.hu
Sat Feb 14 02:20:01 EST 2015
On 13/02/2015 18:46, Greg Hudson wrote:
> On 02/13/2015 11:52 AM, Gergely Czuczy wrote:
>> So, this means, when adding an alias, addition work is not needed, just
>> another value for krbPrincipalName?
>> I had the impression that some additional stuff needs to be stored along
>> with the alias, like, i don't know, keys, or whatever stuff. This part
>> wasn't clear from the docs.
> The point of an alias is that it refers to the same principal entry,
> including keys.
>
> You do need to add a krbCanonicalName attribute so that the KDC knows
> which principal name is the canonical name.
So, actually there's a difference between an alias, and the -x linkdn=
option?
The alias is technically the very same principal, and addprinc -x
linkdn= is a new principal, linked to an already existing entry in LDAP?
Is there a chance to add a couple of words on this here:
http://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_ldap.html
Also, adding the ticket renewable lifetime setting to the setup steps
would be helpful here, it's missing from that section.
Thank you very much for sharing this, it makes sense now.
More information about the Kerberos
mailing list