I own the following ticket https://fedorahosted.org/freeipa/ticket/3864 and I would like to clarify what needs to be done in order to make IPA to fully support multiple aliases per entry.

So far I have identified these task based on the ticket comments and discussion with Simo way back in the past:

1.) mark 'ipaKrbPrincipalAlias' attribute as deprecated so that it is not used in the new code.

2.) fix ACIs that do not permit setting multiple values of 'krbPrincipalName' attribute per entry (see https://fedorahosted.org/freeipa/ticket/3961)

3.) Modify KDB backend (namely 'ipadb_fetch_principal' and 'ipadb_find_principal' functions) to correctly perform lookup of krbprincipalname/krbcanonicalname, i.e. search krbprincipalname case-insensitively and krbcanonicalname case-sensitively, return krbcanonicalname when canonicalization is requested.

4.) Modify KDB backend and IPA framework to handle creation of both krbprincipalname and krbcanonicalname. I am not quite sure what cases should be covered here (I remember that we should create krbcanonicalname when we add another aliases to krbprincipalname), so it would be nice if you could comment on this.

5.) write tests which cover all this stuff so that we don't shoot ourselves in the foot.

I am not very well versed in Kerberos so I might get some of this stuff wrong. If that's the case please point me to the right direction. Also please write me some additional stuff which I have fogot and needs to be done.

