On 02/14/2015 02:20 AM, Gergely Czuczy wrote:
> So, actually there's a difference between an alias, and the -x linkdn=
> option?
> The alias is technically the very same principal, and addprinc -x
> linkdn= is a new principal, linked to an already existing entry in LDAP?
linkdn is totally differen
On 13/02/2015 18:46, Greg Hudson wrote:
> On 02/13/2015 11:52 AM, Gergely Czuczy wrote:
>> So, this means, when adding an alias, addition work is not needed, just
>> another value for krbPrincipalName?
>> I had the impression that some additional stuff needs to be stored along
>> with the alias, l
On 02/13/2015 12:55 PM, Michael Ströder wrote:
> So the alias name is not cryptographically bound to the principal's key?
Not inherently, no.
If a principal's long-term key is based on a password, a salt is used to
increase the cost of dictionary attacks against multiple principals
(except for th
Greg Hudson wrote:
> On 02/13/2015 11:52 AM, Gergely Czuczy wrote:
>> So, this means, when adding an alias, addition work is not needed, just
>> another value for krbPrincipalName?
>> I had the impression that some additional stuff needs to be stored along
>> with the alias, like, i don't know, key
On 02/13/2015 11:52 AM, Gergely Czuczy wrote:
> So, this means, when adding an alias, addition work is not needed, just
> another value for krbPrincipalName?
> I had the impression that some additional stuff needs to be stored along
> with the alias, like, i don't know, keys, or whatever stuff. Thi
On 2015-02-13 16:35, Greg Hudson wrote:
> On 02/13/2015 03:11 AM, Gergely Czuczy wrote:
>> 2) If i addprinc an alias principal pure, or addprinc -x linkedn=, then
>> the principal is created under the realm's tree in ldap, and afterwards
>> adding a the principal to the ldap entry in question who
On 02/13/2015 03:11 AM, Gergely Czuczy wrote:
> 2) If i addprinc an alias principal pure, or addprinc -x linkedn=, then
> the principal is created under the realm's tree in ldap, and afterwards
> adding a the principal to the ldap entry in question who it belongs to
> will make the KDC seeing it mu
On 2015-02-12 17:38, Greg Hudson wrote:
> On 02/12/2015 03:28 AM, Gergely Czuczy wrote:
>> A bit off the topic, but please allow me a question here. I've noticed
>> that addprinc -x dn= only allows a single principal per entry, and -x
>> linkdn= does not put the krbPrincipalName into the specified
On Thu, 2015-02-12 at 17:57 +0100, Michael Ströder wrote:
> Simo Sorce wrote:
> > On Thu, 2015-02-12 at 09:28 +0100, Gergely Czuczy wrote:
> >> On 2015-02-11 15:25, Simo Sorce wrote:
> >>> You should also search on KrbCanonicalName if you need exact matching,
> >>> krbPrincipalName is multivalued a
Simo Sorce wrote:
> On Thu, 2015-02-12 at 09:28 +0100, Gergely Czuczy wrote:
>> On 2015-02-11 15:25, Simo Sorce wrote:
>>> You should also search on KrbCanonicalName if you need exact matching,
>>> krbPrincipalName is multivalued and may contain aliases.
>>
>> A bit off the topic, but please allow
On 02/12/2015 03:28 AM, Gergely Czuczy wrote:
> A bit off the topic, but please allow me a question here. I've noticed
> that addprinc -x dn= only allows a single principal per entry, and -x
> linkdn= does not put the krbPrincipalName into the specified entry. With
> utilizing the LDAP backend,
On Thu, 2015-02-12 at 09:28 +0100, Gergely Czuczy wrote:
> On 2015-02-11 15:25, Simo Sorce wrote:
> > On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
> >> HI!
> >>
> >> Maybe some of you are using MIT Kerberos with LDAP backend.
> >>
> >> For creating a decent web2ldap search form templat
On Wed, 2015-02-11 at 16:24 +0100, Michael Ströder wrote:
> Simo Sorce wrote:
> > On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
> >> HI!
> >>
> >> Maybe some of you are using MIT Kerberos with LDAP backend.
> >>
> >> For creating a decent web2ldap search form template for the Kerberos s
Yes, this piqued my interest as well...
Chris
On Feb 12, 2015 12:30 AM, "Gergely Czuczy"
wrote:
>
> On 2015-02-11 15:25, Simo Sorce wrote:
> > On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
> >> HI!
> >>
> >> Maybe some of you are using MIT Kerberos with LDAP backend.
> >>
> >> For c
On 2015-02-11 15:25, Simo Sorce wrote:
> On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
>> HI!
>>
>> Maybe some of you are using MIT Kerberos with LDAP backend.
>>
>> For creating a decent web2ldap search form template for the Kerberos schema
>> I'd like to know which kind of searches y
Simo Sorce wrote:
> On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
>> HI!
>>
>> Maybe some of you are using MIT Kerberos with LDAP backend.
>>
>> For creating a decent web2ldap search form template for the Kerberos schema
>> I'd like to know which kind of searches you usually do when loo
On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
> HI!
>
> Maybe some of you are using MIT Kerberos with LDAP backend.
>
> For creating a decent web2ldap search form template for the Kerberos schema
> I'd like to know which kind of searches you usually do when looking into your
> backend
ldapsearch -x -H [ ldap://host.fqdn.name:389 | ldaps://host.fqdn.name:636 ]
-D "bind account from your config" -w [that account's password] -b [search
base like ou=People,dc=example,dc=com from your conf]
"(&(objectclass=person)(uid=[your username]))
You can add -LLL after the -x to enable console
I use LDAP to store additional stuff about users, so the krb stuff is a
subtype (can't remember what the real term is) of my main record type. I
rarely search on the krb fields.
Chris
On Feb 4, 2015 12:09 PM, "Paul B. Henson" wrote:
> > From: Michael Ströder
> > Sent: Wednesday, February 04, 2
> From: Michael Ströder
> Sent: Wednesday, February 04, 2015 3:25 AM
>
> Maybe some of you are using MIT Kerberos with LDAP backend.
>
> For creating a decent web2ldap search form template for the Kerberos
schema
> I'd like to know which kind of searches you usually do when looking into
your
> ba
HI!
Maybe some of you are using MIT Kerberos with LDAP backend.
For creating a decent web2ldap search form template for the Kerberos schema
I'd like to know which kind of searches you usually do when looking into your
backend via LDAP.
Which attributes are you usually using in the search?
Which
21 matches
Mail list logo
