principal aliases?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

principal aliases?

Chris Hecker
Are these supported? There's a krbPrincipalAliases in the krb5 ldap schema,
but I can't find any mention of them in the code, and online docs are
spotty.  I was hoping to use them but it doesn't seem like they do anything
or are ever queried in the ldap kdb backend?

Oh, hmm, looks like this is a Heimdal thing, bummer.

https://www.openldap.org/lists/openldap-technical/201502/msg00053.html

Any plans for supporting this in MIT?

Thanks,
Chris
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: principal aliases?

Benjamin Kaduk-2
On Tue, Nov 21, 2017 at 04:17:23PM -0800, Chris Hecker wrote:

> Are these supported? There's a krbPrincipalAliases in the krb5 ldap schema,
> but I can't find any mention of them in the code, and online docs are
> spotty.  I was hoping to use them but it doesn't seem like they do anything
> or are ever queried in the ldap kdb backend?
>
> Oh, hmm, looks like this is a Heimdal thing, bummer.
>
> https://www.openldap.org/lists/openldap-technical/201502/msg00053.html
>
> Any plans for supporting this in MIT?

They are only supported in the ldap backend, and you have to create
them out of band with an ldap editor.  But once they are in ldap,
the KDC will use them.

-Ben
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: principal aliases?

Chris Hecker
Oh, really?  That's cool, I couldn't find krbPrincipalAliases (case
insensitive) in the entire 1.15.2 source code except for the schema and
ldif files...how does that work?  I don't mind creating them myself, no
problem.

Chris

On Tue, Nov 21, 2017 at 4:40 PM, Benjamin Kaduk <[hidden email]> wrote:

> On Tue, Nov 21, 2017 at 04:17:23PM -0800, Chris Hecker wrote:
> > Are these supported? There's a krbPrincipalAliases in the krb5 ldap
> schema,
> > but I can't find any mention of them in the code, and online docs are
> > spotty.  I was hoping to use them but it doesn't seem like they do
> anything
> > or are ever queried in the ldap kdb backend?
> >
> > Oh, hmm, looks like this is a Heimdal thing, bummer.
> >
> > https://www.openldap.org/lists/openldap-technical/201502/msg00053.html
> >
> > Any plans for supporting this in MIT?
>
> They are only supported in the ldap backend, and you have to create
> them out of band with an ldap editor.  But once they are in ldap,
> the KDC will use them.
>
> -Ben
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: principal aliases?

Benjamin Kaduk-2
On Tue, Nov 21, 2017 at 04:43:58PM -0800, Chris Hecker wrote:
> Oh, really?  That's cool, I couldn't find krbPrincipalAliases (case
> insensitive) in the entire 1.15.2 source code except for the schema and
> ldif files...how does that work?  I don't mind creating them myself, no
> problem.

The only documentation I know of is at the end of
http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html .
There's probably other references in the list archives, though it's
unclear exactly how helpful they would be.

-Ben
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: principal aliases?

Chris Hecker
No, I meant, how does the KDC actually query for them since it doesn't
appear to be in the code anywhere I can find?  I haven't set it up to test
yet, but I'm trying to see how it could possibly work when it's not in the
ldap queries...hopefully I'm missing something.

Chris


On Tue, Nov 21, 2017 at 4:53 PM, Benjamin Kaduk <[hidden email]> wrote:

> On Tue, Nov 21, 2017 at 04:43:58PM -0800, Chris Hecker wrote:
> > Oh, really?  That's cool, I couldn't find krbPrincipalAliases (case
> > insensitive) in the entire 1.15.2 source code except for the schema and
> > ldif files...how does that work?  I don't mind creating them myself, no
> > problem.
>
> The only documentation I know of is at the end of
> http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html .
> There's probably other references in the list archives, though it's
> unclear exactly how helpful they would be.
>
> -Ben
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: principal aliases?

Chris Hecker
There is code that checks krbCanonicalName...hmm, it looks like maybe for
MIT krbPrincipalName can have multiple entries and that's how aliases are
done and krbPrincipalAliases is only on Heimdal...

Chris


On Tue, Nov 21, 2017 at 4:56 PM, Chris Hecker <[hidden email]> wrote:

> No, I meant, how does the KDC actually query for them since it doesn't
> appear to be in the code anywhere I can find?  I haven't set it up to test
> yet, but I'm trying to see how it could possibly work when it's not in the
> ldap queries...hopefully I'm missing something.
>
> Chris
>
>
> On Tue, Nov 21, 2017 at 4:53 PM, Benjamin Kaduk <[hidden email]> wrote:
>
>> On Tue, Nov 21, 2017 at 04:43:58PM -0800, Chris Hecker wrote:
>> > Oh, really?  That's cool, I couldn't find krbPrincipalAliases (case
>> > insensitive) in the entire 1.15.2 source code except for the schema and
>> > ldif files...how does that work?  I don't mind creating them myself, no
>> > problem.
>>
>> The only documentation I know of is at the end of
>> http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html .
>> There's probably other references in the list archives, though it's
>> unclear exactly how helpful they would be.
>>
>> -Ben
>>
>
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: principal aliases?

Simo Sorce-3
This is right.
The way to do it is to set krbCanonicalName to the real name, and
krbPrincipalName then can contain any number of aliases. Note the
latter should also contain the canonical name and be a comprehensive
list.

Simo.

On Tue, 2017-11-21 at 16:59 -0800, Chris Hecker wrote:

> There is code that checks krbCanonicalName...hmm, it looks like maybe for
> MIT krbPrincipalName can have multiple entries and that's how aliases are
> done and krbPrincipalAliases is only on Heimdal...
>
> Chris
>
>
> On Tue, Nov 21, 2017 at 4:56 PM, Chris Hecker <[hidden email]> wrote:
>
> > No, I meant, how does the KDC actually query for them since it doesn't
> > appear to be in the code anywhere I can find?  I haven't set it up to test
> > yet, but I'm trying to see how it could possibly work when it's not in the
> > ldap queries...hopefully I'm missing something.
> >
> > Chris
> >
> >
> > On Tue, Nov 21, 2017 at 4:53 PM, Benjamin Kaduk <[hidden email]> wrote:
> >
> > > On Tue, Nov 21, 2017 at 04:43:58PM -0800, Chris Hecker wrote:
> > > > Oh, really?  That's cool, I couldn't find krbPrincipalAliases (case
> > > > insensitive) in the entire 1.15.2 source code except for the schema and
> > > > ldif files...how does that work?  I don't mind creating them myself, no
> > > > problem.
> > >
> > > The only documentation I know of is at the end of
> > > http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html .
> > > There's probably other references in the list archives, though it's
> > > unclear exactly how helpful they would be.
> > >
> > > -Ben
> > >
> >
> >
>
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev

--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev