question about princ type assignment in krb5_ldap_get_principal()

Wed Jun 14 11:38:23 EDT 2006

On Tue, 2006-06-13 at 19:49 -0500, Will Fiveash wrote:
> In krb5_ldap_get_principal() in
> src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c I see:
> 
>         if ((values=ldap_get_values(ld, ent, "objectclass")) != NULL) {     
>             for(i=0; values[i] != NULL; ++i)
>             if (strcasecmp(values[i], "krbprincipal") == 0) {
>                 ptype = KDB_SERVICE_PRINCIPAL;
>                 break;
>             }
>             ldap_value_free(values);
>         }
> 
> Why is ptype set to KDB_SERVICE_PRINCIPAL if the objectclass is
> krbprincipal?

Kerberos principals created on krbprincipal object class (by extending
with the krbprincipalaux aux class) are considered as Kerberos service
principals. Thus kerberos principals like kadmin/admin,
krbtgt/realmname ... are created as krbprincipal object class.

Kerberos principals created by extending other structural object classes
with the krbprincipalaux aux class are considered as the user
principals.

-Praveen 