Discussion:
principal aliases?
Chris Hecker
2017-11-22 00:17:23 UTC
Permalink
Are these supported? There's a krbPrincipalAliases in the krb5 ldap schema,
but I can't find any mention of them in the code, and online docs are
spotty. I was hoping to use them but it doesn't seem like they do anything
or are ever queried in the ldap kdb backend?

Oh, hmm, looks like this is a Heimdal thing, bummer.

https://www.openldap.org/lists/openldap-technical/201502/msg00053.html

Any plans for supporting this in MIT?

Thanks,
Chris
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Benjamin Kaduk
2017-11-22 00:40:12 UTC
Permalink
Post by Chris Hecker
Are these supported? There's a krbPrincipalAliases in the krb5 ldap schema,
but I can't find any mention of them in the code, and online docs are
spotty. I was hoping to use them but it doesn't seem like they do anything
or are ever queried in the ldap kdb backend?
Oh, hmm, looks like this is a Heimdal thing, bummer.
https://www.openldap.org/lists/openldap-technical/201502/msg00053.html
Any plans for supporting this in MIT?
They are only supported in the ldap backend, and you have to create
them out of band with an ldap editor. But once they are in ldap,
the KDC will use them.

-Ben
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Chris Hecker
2017-11-22 00:43:58 UTC
Permalink
Oh, really? That's cool, I couldn't find krbPrincipalAliases (case
insensitive) in the entire 1.15.2 source code except for the schema and
ldif files...how does that work? I don't mind creating them myself, no
problem.

Chris
Post by Chris Hecker
Post by Chris Hecker
Are these supported? There's a krbPrincipalAliases in the krb5 ldap
schema,
Post by Chris Hecker
but I can't find any mention of them in the code, and online docs are
spotty. I was hoping to use them but it doesn't seem like they do
anything
Post by Chris Hecker
or are ever queried in the ldap kdb backend?
Oh, hmm, looks like this is a Heimdal thing, bummer.
https://www.openldap.org/lists/openldap-technical/201502/msg00053.html
Any plans for supporting this in MIT?
They are only supported in the ldap backend, and you have to create
them out of band with an ldap editor. But once they are in ldap,
the KDC will use them.
-Ben
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Benjamin Kaduk
2017-11-22 00:53:04 UTC
Permalink
Post by Chris Hecker
Oh, really? That's cool, I couldn't find krbPrincipalAliases (case
insensitive) in the entire 1.15.2 source code except for the schema and
ldif files...how does that work? I don't mind creating them myself, no
problem.
The only documentation I know of is at the end of
http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html .
There's probably other references in the list archives, though it's
unclear exactly how helpful they would be.

-Ben
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Chris Hecker
2017-11-22 00:56:31 UTC
Permalink
No, I meant, how does the KDC actually query for them since it doesn't
appear to be in the code anywhere I can find? I haven't set it up to test
yet, but I'm trying to see how it could possibly work when it's not in the
ldap queries...hopefully I'm missing something.

Chris
Post by Benjamin Kaduk
Post by Chris Hecker
Oh, really? That's cool, I couldn't find krbPrincipalAliases (case
insensitive) in the entire 1.15.2 source code except for the schema and
ldif files...how does that work? I don't mind creating them myself, no
problem.
The only documentation I know of is at the end of
http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html .
There's probably other references in the list archives, though it's
unclear exactly how helpful they would be.
-Ben
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Chris Hecker
2017-11-22 00:59:11 UTC
Permalink
There is code that checks krbCanonicalName...hmm, it looks like maybe for
MIT krbPrincipalName can have multiple entries and that's how aliases are
done and krbPrincipalAliases is only on Heimdal...

Chris
Post by Chris Hecker
No, I meant, how does the KDC actually query for them since it doesn't
appear to be in the code anywhere I can find? I haven't set it up to test
yet, but I'm trying to see how it could possibly work when it's not in the
ldap queries...hopefully I'm missing something.
Chris
Post by Benjamin Kaduk
Post by Chris Hecker
Oh, really? That's cool, I couldn't find krbPrincipalAliases (case
insensitive) in the entire 1.15.2 source code except for the schema and
ldif files...how does that work? I don't mind creating them myself, no
problem.
The only documentation I know of is at the end of
http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html .
There's probably other references in the list archives, though it's
unclear exactly how helpful they would be.
-Ben
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Simo Sorce
2017-11-22 01:32:20 UTC
Permalink
This is right.
The way to do it is to set krbCanonicalName to the real name, and
krbPrincipalName then can contain any number of aliases. Note the
latter should also contain the canonical name and be a comprehensive
list.

Simo.
Post by Chris Hecker
There is code that checks krbCanonicalName...hmm, it looks like maybe for
MIT krbPrincipalName can have multiple entries and that's how aliases are
done and krbPrincipalAliases is only on Heimdal...
Chris
Post by Chris Hecker
No, I meant, how does the KDC actually query for them since it doesn't
appear to be in the code anywhere I can find? I haven't set it up to test
yet, but I'm trying to see how it could possibly work when it's not in the
ldap queries...hopefully I'm missing something.
Chris
Post by Benjamin Kaduk
Post by Chris Hecker
Oh, really? That's cool, I couldn't find krbPrincipalAliases (case
insensitive) in the entire 1.15.2 source code except for the schema and
ldif files...how does that work? I don't mind creating them myself, no
problem.
The only documentation I know of is at the end of
http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html .
There's probably other references in the list archives, though it's
unclear exactly how helpful they would be.
-Ben
_______________________________________________
https://mailman.mit.edu/mailman/listinfo/krbdev
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
Loading...