PKINIT and the schema? (Re: Lists of LDAP requirements

Chaskiel M Grundman cg2v at
Thu Jul 20 18:17:05 EDT 2006

--On Thursday, July 20, 2006 03:53:56 PM -0500 Will Fiveash 
<William.Fiveash at> wrote:

> Will PKINIT impact the schema?

The required-to-implement pkinit certificate mapping algorithm does not 
require the kdc to store mapping data: the certificate must have a subject 
alternative name of type id-pkinit-san which contains a kerberos principal 

Of course,  MIT (or novell, sun, etc) may want to implement a mapping 
policy that allows certificates to be used with pkinit that were not issued 
specifically with pkinit in mind.

Such a thing would impact the schema, but you'd really need to have an idea 
of what that mapping policy (or mapping policy framework, if you want to be 
that generic) will be in order to design ldap schema for it.

More information about the krbdev mailing list