[krbdev.mit.edu #8065] Renaming principals with LDAP KDB deletes the principal

[Greg Hudson via RT]

Fair point.  If the source principal entry is a standalone principal 
object, we want to change the DN, but if it's not, we ought to just 
modify it in place.  (Determining whether a principal entry is a 
standalone principal object is easy; there's tl-data and a 
libkdb_ldap function for that.)

Principal aliases also make this problem tricky, whether we are 
creating a new DN or modifying an existing one.

If the source principal name is an alias, we could reasonably error 
out (kadmin doesn't currently manage aliases).  If not, we don't 
really need to add a special salt to the key data, but we do want to 
update the last-modified tl-data as well as the krbPrincipalName 
attribute.

If the source principal name is the canonical name but the principal 
entry has aliases, we want to make sure those aliases are preserved.  
So the krbCanonicalName attribute should be changed as well as the 
matching krbPrincipalName, and all other krbPrincipalNames should be 
retained.

In general this seems hard to fix in a minimal way.  We will almost 
certainly need to add some form of DAL rename method.  I don't think 
we currently have a complete minor version story for the DAL, 
although we could invent one without breaking anything.  Given the 
size of the required fix, it may be best to disable rename_principal 
for the LDAP module in 1.13.x, and support it in 1.14.