On 02/13/2015 03:11 AM, Gergely Czuczy wrote: > 2) If i addprinc an alias principal pure, or addprinc -x linkedn=, then > the principal is created under the realm's tree in ldap, and afterwards > adding a the principal to the ldap entry in question who it belongs to > will make the KDC seeing it multiple times, but the one at the object's > entry will not work obivously, because it's just the krbPrincipalName, > without the actual additional stuff being there.
I'm having trouble following this part. You should be able to create principal entries with aliases as follows: 1. Create the principal under its canonical name with addprinc. 2. Add a krbCanonicalName attribute with the same value as the krbPrincipalName value. 3. Add additional krbPrincipalName values. > So, I understand it has to be managed manually, I just don't see how should > be such principal aliases be created consistently and correctly. Could you > please provide some words on this? Alas, I was not able to find this in the > docs. We need to improve our LDAP module documentation. Unfortunately there is some non-trivial groundwork to be done with the schema first. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
