Principal to directory object mapping
srahul at novell.com
Wed Jul 26 06:37:52 EDT 2006
In order to associate Kerberos principals with existing directory
objects, the "-x userdn=<DN>" argument was added to
"kadmin add_principal". This resulted in a change to the kadmin user
interface. In order to achieve the same using the old interface, we came
up with the following solution.
1. '-x' option to "kadmin add_principal" will be optional (no change)
2. '-x userdn=<DN>' will be changed to '-x dn=<DN>' to enable
association of a kerberos principal with any directory object (not
just user objects).
3. Principals will be associated with DNs in one of the following ways
3.1. Rule based mapping: If '-x dn' is not used, rules in krb5.conf
will be used to perform the mapping. The syntax for these rules
will be as follows
ldapmatchrule = <LDAP search filter>
The LDAP search filter may contain one of the following symbols
(in addition to regular LDAP filter characters)
1. '%s' : Expands to the principal name (minus realm name)
2. '%1' '%2' ... '%9' : Expands to the 1st, 2nd etc. component of
the principal name.
When 'db_put_principal' is called, the LDAP backend will search
the directory for an object based on these rules (within the
subtree configured for the realm). The rules are applied in
order and the result of the first successful search is used. A
search is successful if it returns exactly one match.
ldapmatchrule = (mail=%s at foo.org)
When this rule is used to find a matching directory object for
principal srahul at myrealm, it will match the directory object with
the email ID "srahul at foo.org".
3.2. Explicit association of principal with DN: If "-x dn" argument
is used, principal will be associated with the DN. Rules will be
ignored. Should a "-x dn" be provided with the 'modify_principal'
command also to allow delayed association / change of association
of principal name with directory DN ?
4. If the "-x dn" argument is not used and 'ldapmatchrule' does not turn
up any matching DNs, then the principal will be created without being
associated with any existing directory object.
If the above solution is implemented, the administrator can use 'kadmin'
as before and also be able to associate principals with directory DNs
through krb5.conf. Any comments ?
More information about the krbdev