any way to get user's ldap dn (or part of it) as part of the ticket?

Chris Hecker checker at
Fri Aug 26 02:10:15 EDT 2016

I have a kerberized service that gets tickets from clients via 
krb5_rd_req and I get the client name from the ticket using 
krb5_unparse_name_flags.  On the KDC, these clients are in the LDAP 
backend.  Is there any way to get the dn (which has a UUID) as part of 
the ticket so I get can use it in the service?  I know this is a bit of 
a confusion between authn and authz, but I also know Microsoft has a 
bunch of extensions that put a bunch of stuff into tickets that gets 
carried around, and I'm wondering if there's an extension mechanism that 
works for this.  I'd like to avoid another round-trip to the backend to 
map from the client name to the UUID.  I'm willing to modify my MIT KDC 
if necessary, although it'd be nice if was doable with a plugin in an 
"official" way or something.

Thanks, or let me know if I'm thinking about this in the wrong way...


More information about the krbdev mailing list