kdb-ldap plugin question: krbSubTrees realm attribute
Klaus Heinrich Kiwi
klausk at linux.vnet.ibm.com
Wed May 14 20:27:32 EDT 2008
Thanks Simo for your quick response.
> > What happens if I had 'krbSubTrees=cn=realms,dc=myDomain,dc=com' or with
>
> Only nodes of the cn=realms,dc=myDomain,dc=com will be searched for the
> principals
> > multiple values?
>
> multiple subtrees should be searched for the principals (I have no
> tested this though).
>
Thanks. So just to check if I got it right. In case a
krbPrincContainerRef attribute is present, the administrator needs to be
sure that it points to the same dn pointed by at least one element of
krbSubTrees (in case krbSearchScope=one-level) or it's children (in case
krbSearchScope=subtree) - or else it will end up adding principals where
kerberos itself can't find them.
Thanks,
-K
--
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center
More information about the krbdev
mailing list