kdb-ldap plugin question: krbSubTrees realm attribute
Savitha R
rsavitha at novell.com
Thu May 15 07:50:37 EDT 2008
>>> On Thu, May 15, 2008 at 5:57 AM, in message
<1210811252.15549.46.camel at klausk.br.ibm.com>, Klaus Heinrich Kiwi
<klausk at linux.vnet.ibm.com> wrote:
> Thanks Simo for your quick response.
>
>> > What happens if I had 'krbSubTrees=cn=realms,dc=myDomain,dc=com' or with
>>
>> Only nodes of the cn=realms,dc=myDomain,dc=com will be searched for the
>> principals
>> > multiple values?
>>
>> multiple subtrees should be searched for the principals (I have no
>> tested this though).
>>
>
> Thanks. So just to check if I got it right. In case a
> krbPrincContainerRef attribute is present, the administrator needs to be
> sure that it points to the same dn pointed by at least one element of
> krbSubTrees (in case krbSearchScope=one-level) or it's children (in case
> krbSearchScope=subtree) - or else it will end up adding principals where
> kerberos itself can't find them.
>
Principals are searched for in the containers specified in krbsubtrees and
krbPrincContainerRef attributes and also in the Realm Container. So the
krbPrincContainerRef need not be present in the krbsubtrees list.
-Savitha
More information about the krbdev
mailing list