Hello, I just recently redid my krb5 set up to use LDAP as backend (for less hassle replication since the LDAP servers were already doing that) and I was wondering what the best/easiest ways were to deal with cases where multiple kerberos principals would be logically associated with a single account/LDAP object.
I set up the subtree searches when I ran krb5_ldap_util, and I was able to copy the relevant krb... attributes to my LDAP account and verified that kinit, kadmin and such all still work as expected. I know about the -x "dn=..." attribute for addprinc, etc...to use in kadmin to create the principals in the proper part of the LDAP subtree (for me, ou=People,...) rather than manually copying the attributes, though I have yet to do so. I am a little confused, though as to how multiple principals can be store with the same LDAP object, mostly for host principals like nfs/ server.example....@example.com or host/server.example....@example.com. Both them would logically go with the uid=server,ou=Devices,cn=example,cn=com object but not all of the krb... attributes can be multi-valued. I assume that aliased principals would be similar? If somebody could point me at an appropriate tutorial online, or otherwise explain how this is best accomplished, i would appreciate it. (I'm running krb5+openldap on an Ubuntu 15.04, but the machines on the network are a hodge podge of OS X, Ubuntu, OpenBSD, FreeBSD in various versions, and various Cisco and HP switches and routers, if that makes any difference.) Thanks in advance! ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
