any way to get user's ldap dn (or part of it) as part of the ticket?

Chris Hecker checker at
Fri Aug 26 02:16:07 EDT 2016

Hmm, it looks like the authdata_plugin might be what I want?


On 2016-08-25 23:10, Chris Hecker wrote:
> I have a kerberized service that gets tickets from clients via
> krb5_rd_req and I get the client name from the ticket using
> krb5_unparse_name_flags.  On the KDC, these clients are in the LDAP
> backend.  Is there any way to get the dn (which has a UUID) as part of
> the ticket so I get can use it in the service?  I know this is a bit of
> a confusion between authn and authz, but I also know Microsoft has a
> bunch of extensions that put a bunch of stuff into tickets that gets
> carried around, and I'm wondering if there's an extension mechanism that
> works for this.  I'd like to avoid another round-trip to the backend to
> map from the client name to the UUID.  I'm willing to modify my MIT KDC
> if necessary, although it'd be nice if was doable with a plugin in an
> "official" way or something.
> Thanks, or let me know if I'm thinking about this in the wrong way...
> Thanks,
> Chris

More information about the krbdev mailing list