KDB and referrals/aliases
Luke Howard
lukeh at padl.com
Thu Sep 3 01:52:52 EDT 2009
On 02/09/2009, at 11:04 PM, Greg Hudson wrote:
> On Wed, 2009-09-02 at 16:28 -0400, Nicolas Williams wrote:
>> Is there a way to list canonical names only though? That'd be nice.
>> I'm not sure it'd be "required", but if listing only canon names
>> meant
>> listing all names then doing a getprinc on each, then yes, IMO it'd
>> be a
>> required feature. Conversely, being able to list all names, alias
>> and
>> canonical, in one step is a "requirement", IMO.
>
> Now that I look, iteration is pretty broken in the presence of
> aliases.
> krb5_ldap_iterate will stop at the first krbPrincipalName value
> which is
> in the specified realm, so you get one name listed per principal
> entry,
> and it's not even necessarily the canonical name.
>
> The DAL interface for iteration is:
>
> krb5_error_code krb5_db_iterate ( krb5_context kcontext,
> char *match_entry,
> int (*func) (krb5_pointer,
> krb5_db_entry *),
> krb5_pointer func_arg );
>
> I believe that interface would have to be extended to do something
> sensical with aliases. Luke, what does the DSfW back end do about
> iteration?
It always returns the canonical name. For DSfW, the primary
administration interface is LDAP (in fact, I don't think Novell even
shipped kadmin).
-- Luke
More information about the krbdev
mailing list