KDB and referrals/aliases
Nicolas.Williams at sun.com
Thu Sep 3 12:47:50 EDT 2009
On Thu, Sep 03, 2009 at 12:17:07PM -0400, Greg Hudson wrote:
> On Thu, 2009-09-03 at 01:52 -0400, Luke Howard wrote:
> > It always returns the canonical name. For DSfW, the primary
> > administration interface is LDAP (in fact, I don't think Novell even
> > shipped kadmin).
> Alright. When I added alias support to LDAP for 1.7, time constraints
> led me to relegate administration of aliases (such as adding them at
> all) to external LDAP tools. So for the moment it makes sense to just
> fix the iteration code to supply the canonical name. That means:
> * With Luke's suggested change to krb5_ldap_get_principal(), "getprinc
> aliasname" will start working, and will report the canonical name. That
> will be the only way to see aliases in the admin interface.
> * With the (not yet coded) fix to krb5_ldap_iterate(), "listprincs"
> will display only a list of canonical names.
Excellent. A TL_DATA to list the known aliases of a princ, and getprinc
support for that, would round this out.
More information about the krbdev