[krbdev.mit.edu #8065] Renaming principals with LDAP KDB deletes the principal
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Tue Feb 3 14:31:51 EST 2015
>>>>> "Greg" == Greg Hudson via RT <rt-comment at krbdev.mit.edu> writes:
Greg> 2. When the LDAP back end loads the source principal entry, it
Greg> inserts a tl-data value of type KDB_TL_USERDN containing the
Greg> DN. When we put the principal entry, this tl-data value is
Greg> extracted and used as the DN to use. We don't want that to
Greg> happen; we want the KDB module to construct a new DN based on
Greg> the new principal name.
I'm not sure that's true.
In my directory I have principals stored inside account objects. For
example I have uid=hartmans,ou=users,dc=painless-security,dc=com.
I really want the principal to stay there even if I rename it.
If I'm also renaming the account I'll do that with an ldap operation and
that will rename the object. Yes, the principal also needs to get
renamed, but I'd be really annoyed if renaming a principal moved a
principal contained in an account object out of that object.
--Sam
More information about the krb5-bugs
mailing list