principal aliases for non-LDAP backends?

Greg Hudson ghudson at MIT.EDU
Thu Feb 18 13:34:35 EST 2010

On Thu, 2010-02-18 at 13:12 -0500, Tim Mooney wrote:
> I know that principal aliases are currently only supported with the
> LDAP backend.  Are there any plans to add support for principal aliases
> with the traditional backend?

That's unclear.  When I initially proposed adding alias support, I was
going to do it for the BDB back end only, but the feedback I got was
that people using this feature would probably (1) want to be able to do
bulk updates of alias information rather than going through kadmind, and
(2) might be more likely to be using the LDAP back end since they're
more likely to be integrating with outside sources of information.  I
wasn't able to come up with a satisfying and easy design for (1) with
the BDB back end.  A notable obstacle is that all accesses to krb5 BDB
back end databases have to go through custom locking code, since the way
we use BDB does not allow for concurrent access.

What we would like to do in the medium term--perhaps for 1.9 if we can
allocate the resources--is create a new embedded back end, probably
using SQLite, which is more easily extensible and which can better
support integration with other data sources via external tools.  Then we
could deprecate the BDB back end in favor of the new back end.  If we do
this, it will make more sense to add support for aliases and similar
features (such as referrals and canonicalization of UPNs) to the new
back end.

More information about the krbdev mailing list