On Thu, 2015-02-12 at 17:57 +0100, Michael Ströder wrote: > Simo Sorce wrote: > > On Thu, 2015-02-12 at 09:28 +0100, Gergely Czuczy wrote: > >> On 2015-02-11 15:25, Simo Sorce wrote: > >>> You should also search on KrbCanonicalName if you need exact matching, > >>> krbPrincipalName is multivalued and may contain aliases. > >> > >> A bit off the topic, but please allow me a question here. I've noticed > >> that addprinc -x dn= only allows a single principal per entry, and -x > >> linkdn= does not put the krbPrincipalName into the specified entry. With > >> utilizing the LDAP backend, what would be the way to make use of the > >> krbPrincipalName's multivalued nature, and have it populated at the ldap > >> entry's values? > > > > Well, LDAP support in kadmin is not really "complete". I use this stuff > > mostly in FreeIPA where we have a different DAL driver and custom tools > > to manipulate the DIT. > > In FreeIPA's schema I see krbPrincipalAliases and ipaKrbPrincipalAlias. What's > the difference?
ipaKrbPrincipalAlias is a mistake we want to correct :-/ Simo. -- Simo Sorce * Red Hat, Inc * New York ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
