PKINIT and DN Mapping support in MIT kerberos

Matthieu Hautreux matthieu.hautreux at
Wed Nov 23 06:02:52 EST 2011


I do not know if this is the good list or if I should use the kerberos
standard list. Please tell me if you think I should send that to the
other one.

I would like to set up a PKINIT enabled kerberos server in order to
glue multiple x509 PKIs with a single kerberos REALM. The PKIs were
created prior to any considerations of using PKINIT and thus do not
comform to the PKINIT RFC (SAN/EKU). As a result, I need to have a
mapping between x509 DN and associated principal(s). Looking at the
code and the svn, it seems that a dn_mapping_file was introduced in
the configuration structure in 2007 but the logic was not implemented
at that time and is still not present.

I would like to know if it is something that is planned for the future
or you see issues with such a feature that prevent from adding it in
the main branch. Without such a feature, I do not see how to manage
PKINIT, do you see an alternative ? I am currently thinking about an
heimdal slave for that purpose as heimdal provides this mapping
feature but I would rather use the MIT version.

Thanks in advance for your help

More information about the krbdev mailing list