Preliminary discussion: DB alias entries

Sam Hartman hartmans at MIT.EDU
Thu Mar 12 08:50:46 EDT 2009

>>>>> "Ken" == Ken Raeburn <raeburn at MIT.EDU> writes:

    Ken> On Mar 10, 2009, at 22:16, Greg Hudson wrote:
    >> For user principal aliases you do presumably want to canonicalize the
    >> name--but I am not aware of any use cases for user principal aliases
    >> other than case-folding.

I understand if we don't have time to add a canonical principal attribute for 1.7, but I think we should try for 1.7.1.

We do support user name aliases, and they seem to be something that
people care about.  The Role of Kerberos paper and the Kerberos in
Mixed Environments paper talk about this in some detail, although a
lot of that discussion applies more to enterprise names than non-enterprise aliases.

Another case where user principal aliases come into play is the one I discussed: services getting tickets as a user.

Having non-canonicalized user principals is very bad because it breaks
name-based authorization.  It's not so bad if you generate a PAC (and
use it), but our LDAP backend does not do that.


More information about the krbdev mailing list