principal aliases?

[Simo Sorce]

This is right.
The way to do it is to set krbCanonicalName to the real name, and
krbPrincipalName then can contain any number of aliases. Note the
latter should also contain the canonical name and be a comprehensive
list.

Simo.

On Tue, 2017-11-21 at 16:59 -0800, Chris Hecker wrote:
> There is code that checks krbCanonicalName...hmm, it looks like maybe for
> MIT krbPrincipalName can have multiple entries and that's how aliases are
> done and krbPrincipalAliases is only on Heimdal...
> 
> Chris
> 
> 
> On Tue, Nov 21, 2017 at 4:56 PM, Chris Hecker <checker at d6.com> wrote:
> 
> > No, I meant, how does the KDC actually query for them since it doesn't
> > appear to be in the code anywhere I can find?  I haven't set it up to test
> > yet, but I'm trying to see how it could possibly work when it's not in the
> > ldap queries...hopefully I'm missing something.
> > 
> > Chris
> > 
> > 
> > On Tue, Nov 21, 2017 at 4:53 PM, Benjamin Kaduk <kaduk at mit.edu> wrote:
> > 
> > > On Tue, Nov 21, 2017 at 04:43:58PM -0800, Chris Hecker wrote:
> > > > Oh, really?  That's cool, I couldn't find krbPrincipalAliases (case
> > > > insensitive) in the entire 1.15.2 source code except for the schema and
> > > > ldif files...how does that work?  I don't mind creating them myself, no
> > > > problem.
> > > 
> > > The only documentation I know of is at the end of
> > > http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html .
> > > There's probably other references in the list archives, though it's
> > > unclear exactly how helpful they would be.
> > > 
> > > -Ben
> > > 
> > 
> > 
> 
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev

-- 
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc