KDB and referrals/aliases

Wed Sep 2 17:04:54 EDT 2009

On Wed, 2009-09-02 at 16:28 -0400, Nicolas Williams wrote:
> Is there a way to list canonical names only though?  That'd be nice.
> I'm not sure it'd be "required", but if listing only canon names meant
> listing all names then doing a getprinc on each, then yes, IMO it'd be a
> required feature.  Conversely, being able to list all names, alias and
> canonical, in one step is a "requirement", IMO.

Now that I look, iteration is pretty broken in the presence of aliases.
krb5_ldap_iterate will stop at the first krbPrincipalName value which is
in the specified realm, so you get one name listed per principal entry,
and it's not even necessarily the canonical name.

The DAL interface for iteration is:

krb5_error_code krb5_db_iterate ( krb5_context kcontext,
                                  char *match_entry,
                                  int (*func) (krb5_pointer, krb5_db_entry *),
                                  krb5_pointer func_arg );

I believe that interface would have to be extended to do something
sensical with aliases.  Luke, what does the DSfW back end do about
iteration?