concerns with ldap plugin and 1.5
Nicolas Williams
Nicolas.Williams at sun.com
Fri Jun 9 20:25:15 EDT 2006
On Fri, Jun 09, 2006 at 04:53:10PM -0700, Henry B. Hotz wrote:
> You ought to be able to infer the dn from the principal name, based
> on the (probably default) realm's configuration information. In
> other words "add hotz" should do the right thing.
You can't always, not at principal creation time.
The problem is that the kadmin create_principal command, and the
protocol itself lack a way to convey principal type information.
Without principal name type information there are situations where the
intended principal name type, and therefore, possibly, LDAP class and DN
of the intended LDAP object, cannot be unambiguously determined.
foo at BAR.COM might be intended to be a user principal, if a user exists
with the name 'foo' in that organization. Then again, this might be
something else.
Nico
--
More information about the krbdev
mailing list