Re: LDAP searches for Kerberos entries

[Dameon Wagner <dameon.wagner@it.ox.ac.uk>]

(Reposted to the list rather than just to Michael, sorry about that.)

On Wed, Feb 11 2015 at 16:24:09 +0100, Michael Ströder scribbled
 in "Re: LDAP searches for Kerberos entries":
> Simo Sorce wrote:
> > On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
> >> HI!
> >>
> >> Maybe some of you are using MIT Kerberos with LDAP backend.
> >>
> >> For creating a decent web2ldap search form template for the
> >> Kerberos schema I'd like to know which kind of searches you
> >> usually do when looking into your backend via LDAP.
> >>
> >> Which attributes are you usually using in the search?  Which
> >> filters do you hack on command-line?
> >>
> >> Well, 'krbPrincipalName' will of course be the most used search
> >> attribute. The default equality matching rule is
> >> caseExactIA5Match, so for convenience I'd add something to use
> >> caseIgnoreIA5Match without the user having to select that
> >> himself.
> > 
> > You should also search on KrbCanonicalName if you need exact
> > matching, krbPrincipalName is multivalued and may contain aliases.
> 
> Thanks, added it.
> 
> What about 'krbPrincipalAliases'? Is that actually used?

That depends on whether you're using MIT or Heimdal for your your
KDCs.

IIRC krbPrincipalAliases refers to a feathure of Heimdal's
implementation that MIT doesn't have, namely the ability for a
principal to have one or more aliases (so host/foo.example.com could
have also have HTTP/foo.example.com and ldap/foo.example.com all
refer to the same principal in the KDB)

If you're using an MIT realm, you probably don't need it.

Cheers.

Dameon.

-- 
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
Dameon Wagner, Systems Development and Support Team
IT Services, University of Oxford
><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><