question about princ type assignment in krb5_ldap_get_principal()
Praveen Kumar Sahukar
psahukar at novell.com
Thu Jun 15 14:12:42 EDT 2006
On Wed, 2006-06-14 at 11:07 -0400, Sam Hartman wrote:
> >>>>> "Praveen" == Praveen Kumar Sahukar <psahukar at novell.com> writes:
>
> Praveen> On Tue, 2006-06-13 at 19:49 -0500, Will Fiveash wrote:
> >> In krb5_ldap_get_principal() in
> >> src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c I see:
> >>
> >> if ((values=ldap_get_values(ld, ent, "objectclass")) != NULL) {
> >> for(i=0; values[i] != NULL; ++i) if (strcasecmp(values[i],
> >> "krbprincipal") == 0) { ptype = KDB_SERVICE_PRINCIPAL; break;
> >> }
> >> ldap_value_free(values);
> >> }
> >>
> >> Why is ptype set to KDB_SERVICE_PRINCIPAL if the objectclass is
> >> krbprincipal?
>
> Praveen> Kerberos principals created on krbprincipal object class
> Praveen> (by extending with the krbprincipalaux aux class) are
> Praveen> considered as Kerberos service principals. Thus kerberos
> Praveen> principals like kadmin/admin, krbtgt/realmname ... are
> Praveen> created as krbprincipal object class.
>
> Praveen> Kerberos principals created by extending other structural
> Praveen> object classes with the krbprincipalaux aux class are
> Praveen> considered as the user principals.
>
> This seems rather specific to your deployment.
>
> What distinction does the code make based on this type?
Based on the principal type distinction a couple of eDirectory specific
features are applied only to kerberos user principals and not to
kerberos service principals.
-Praveen
More information about the krbdev
mailing list