KDB and referrals/aliases

Nicolas Williams Nicolas.Williams at sun.com
Thu Sep 3 12:47:50 EDT 2009

On Thu, Sep 03, 2009 at 12:17:07PM -0400, Greg Hudson wrote:
> On Thu, 2009-09-03 at 01:52 -0400, Luke Howard wrote:
> > It always returns the canonical name. For DSfW, the primary  
> > administration interface is LDAP (in fact, I don't think Novell even  
> > shipped kadmin).
> Alright.  When I added alias support to LDAP for 1.7, time constraints
> led me to relegate administration of aliases (such as adding them at
> all) to external LDAP tools.  So for the moment it makes sense to just
> fix the iteration code to supply the canonical name.  That means:
>   * With Luke's suggested change to krb5_ldap_get_principal(), "getprinc
> aliasname" will start working, and will report the canonical name.  That
> will be the only way to see aliases in the admin interface.
>   * With the (not yet coded) fix to krb5_ldap_iterate(), "listprincs"
> will display only a list of canonical names.

Excellent.  A TL_DATA to list the known aliases of a princ, and getprinc
support for that, would round this out.

More information about the krbdev mailing list