On Mon, 2016-04-11 at 16:29 +0200, thierry bordaz wrote: > > On 04/08/2016 05:10 PM, Martin Babinsky wrote: > > Hi list, > > > > I have put together a draft  outlining the effort to reimplement > > the handling of Kerberos principals in both backend and frontend > > layers of FreeIPA so that we may have multiple aliases per user, host > > or service and thus implement stuff like > > https://fedorahosted.org/freeipa/ticket/3961 and > > https://fedorahosted.org/freeipa/ticket/5413 . > > > > Since much of the plumbing was already implemented, the document > > mainly describes what the patches do. Some parts required by other use > > cases may be missing so please point these out. > > > > I would also be happy if you could correct all factual inacurracies, I > > did research on this issue a long time ago and my knowledge turned a > > bit rusty. > > > >  http://www.freeipa.org/page/V4/Kerberos_principal_aliases > >  > > https://www.redhat.com/archives/freeipa-devel/2015-October/msg00048.html > > > Hi Martin, > > Currently DS is enforcing that 'krbPrincipalName' and > 'krbCanonicalName' are unique. > krbPrincipalName is caseExactIA5Match. > Is it possible to imagine entries having the same (IgnoreCase) alias: > > dn: uid=user_one,cn=users,cn=accounts,<suffix> > ... > krbCanonicalName: user_one@<realm> > krbPrincipalName: user_one@<realm> > krbPrincipalName: user_ONE@<realm> > > dn: uid=user_two,cn=users,cn=accounts,<suffix> > ... > krbCanonicalName: user_two@<realm> > krbPrincipalName: user_two@<realm> > krbPrincipalName: user_TWO@<realm> > krbPrincipalName: *user_**One*@<realm> > > So KDB, searching as case insentive > "krbPrincipalName:caseIgnoreIA5Match:=USER_one@<realm>" will > retrieve user_one and user_two ?
Yes, but it is an error to have the same alias (differing just by case) on two distinct principals. So this is an error condition not an expected use case. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code