Principal to directory object mapping

S Rahul srahul at novell.com
Wed Jul 26 06:37:52 EDT 2006 

Hi,
    In order to associate Kerberos principals with existing directory
objects, the "-x userdn=<DN>" argument was added to
"kadmin add_principal". This resulted in a change to the kadmin user
interface. In order to achieve the same using the old interface, we came
up with the following solution.

1. '-x' option to "kadmin add_principal" will be optional (no change)
2. '-x userdn=<DN>' will be changed to '-x dn=<DN>' to enable
    association of a kerberos principal with any directory object (not
    just user objects).
3. Principals will be associated with DNs in one of the following ways
    3.1. Rule based mapping: If '-x dn' is not used, rules in krb5.conf
       will be used to perform the mapping. The syntax for these rules
       will be as follows
       ldapmatchrule = <LDAP search filter>
       The LDAP search filter may contain one of the following symbols
       (in addition to regular LDAP filter characters)
       1. '%s' : Expands to the principal name (minus realm name)
       2. '%1' '%2' ... '%9' : Expands to the 1st, 2nd etc. component of
          the principal name.
       When 'db_put_principal' is called, the LDAP backend will search
       the directory for an object based on these rules (within the
       subtree configured for the realm). The rules are applied in
       order and the result of the first successful search is used. A
       search is successful if it returns exactly one match.
       For example:
       ldapmatchrule = (mail=%s at foo.org)
       When this rule is used to find a matching directory object for
       principal srahul at myrealm, it will match the directory object with
       the email ID "srahul at foo.org".
    3.2. Explicit association of principal with DN: If "-x dn" argument
       is used, principal will be associated with the DN. Rules will be
       ignored. Should a "-x dn" be provided with the 'modify_principal'
       command also to allow delayed association / change of association
       of principal name with directory DN ?
4. If the "-x dn" argument is not used and 'ldapmatchrule' does not turn
    up any matching DNs, then the principal will be created without being
    associated with any existing directory object.

If the above solution is implemented, the administrator can use 'kadmin'
as before and also be able to associate principals with directory DNs
through krb5.conf. Any comments ?

Regards,

-Rahul S.

More information about the krbdev mailing list