On Thu, 2015-02-12 at 09:28 +0100, Gergely Czuczy wrote: > On 2015-02-11 15:25, Simo Sorce wrote: > > On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote: > >> HI! > >> > >> Maybe some of you are using MIT Kerberos with LDAP backend. > >> > >> For creating a decent web2ldap search form template for the Kerberos schema > >> I'd like to know which kind of searches you usually do when looking into > >> your > >> backend via LDAP. > >> > >> Which attributes are you usually using in the search? > >> Which filters do you hack on command-line? > >> > >> Well, 'krbPrincipalName' will of course be the most used search attribute. > >> The > >> default equality matching rule is caseExactIA5Match, so for convenience I'd > >> add something to use caseIgnoreIA5Match without the user having to select > >> that > >> himself. > > You should also search on KrbCanonicalName if you need exact matching, > > krbPrincipalName is multivalued and may contain aliases. > A bit off the topic, but please allow me a question here. I've noticed > that addprinc -x dn= only allows a single principal per entry, and -x > linkdn= does not put the krbPrincipalName into the specified entry. With > utilizing the LDAP backend, what would be the way to make use of the > krbPrincipalName's multivalued nature, and have it populated at the ldap > entry's values?
Well, LDAP support in kadmin is not really "complete". I use this stuff mostly in FreeIPA where we have a different DAL driver and custom tools to manipulate the DIT. Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
