Preliminary discussion: DB alias entries

Greg Hudson ghudson at MIT.EDU
Tue Mar 10 22:16:32 EDT 2009

On Thu, 2009-03-05 at 12:49 -0500, Sam Hartman wrote:
> I think that as several people have proposed an additional
> multi-valued attribute will be appropriate.  In a lot of places I
> think it will be reasonable for this attribute to live in the same
> object.

(Several days of LDAP research and code hacking later...)

Luke actually suggested adding a canonical principal name attribute, not
a multi-valued attribute for aliases.  I didn't catch that at the time.

The subtlety here is that krbPrincipalName is already multi-valued.  You
can add multiple principal names to a single LDAP entry (using -x dn=...
as an argument to add_princ, or from outside of kadmin entirely) and
delete them independently of each other.  They will share keys and other
metadata, as well as any non-Kerberos data on the object (of course).
If you search for any of the names, you will get the name you searched
for returned back to you.

For service principals I believe this level of support is sufficient as
is, because we don't canonicalize service principal names anyway.  Does
that seem accurate?

For user principal aliases you do presumably want to canonicalize the
name--but I am not aware of any use cases for user principal aliases
other than case-folding.

More information about the krbdev mailing list