kdb-ldap plugin question: krbSubTrees realm attribute

Savitha R rsavitha at novell.com
Thu May 15 07:50:37 EDT 2008

>>> On Thu, May 15, 2008 at  5:57 AM, in message
<1210811252.15549.46.camel at klausk.br.ibm.com>, Klaus Heinrich Kiwi
<klausk at linux.vnet.ibm.com> wrote: 
> Thanks Simo for your quick response.
>> > What happens if I had 'krbSubTrees=cn=realms,dc=myDomain,dc=com' or with
>> Only nodes of the cn=realms,dc=myDomain,dc=com will be searched for the
>> principals
>> > multiple values?
>> multiple subtrees should be searched for the principals (I have no
>> tested this though).
> Thanks. So just to check if I got it right. In case a
> krbPrincContainerRef attribute is present, the administrator needs to be
> sure that it points to the same dn pointed by at least one element of
> krbSubTrees (in case krbSearchScope=one-level) or it's children (in case
> krbSearchScope=subtree) - or else it will end up adding principals where
> kerberos itself can't find them.
Principals are searched for in the containers specified in krbsubtrees and
krbPrincContainerRef attributes and also in the Realm Container. So the 
krbPrincContainerRef need not be present in the krbsubtrees list.


More information about the krbdev mailing list