Elrond <[EMAIL PROTECTED]> writes: > [...] >> > Currently I'm interested in an attribute, that stores the >> > kerberos' principal name, that relates to a DN/account. >> > >> > In hdb.schema this is krb5PrincipalName. >> >> I think you could write a new shisa module that would get the >> information the KDC requests from shisa from the LDAP server. Copy >> file.c and file.h into ldap.c and ldap.h and start modifying it... It >> probably require some work, but maybe I can assist you. > > Well, I don't want to write a full backend for shisa. > > I only want to put mappings into ldap. > > Think of mapping unix accounts (which are flat, no realm) > to principals (which have a realm). > > Say I want to unix user jas to [EMAIL PROTECTED] and unix > user elrond to [EMAIL PROTECTED] > > uid: jas > unknown: [EMAIL PROTECTED] > > uid: elrond > unknown: [EMAIL PROTECTED] > > So what to use for "unknown"? > My current best guess is "krb5PrincipalName".
Where does the unix username come from? Do you want the shishi client to convert the unix username 'jas' into [EMAIL PROTECTED] when it tries to get a ticket for a user? Shisa can't help you here, it is only used on the server. While the server could translate a request for jas with any realm into [EMAIL PROTECTED], it seems like a weird solution. The default username in the client is computed by shishi_principal_default_guess () in principal.c. As you can see in shishi_principal_default(), you can override this by setting the environment variable SHISHI_USER. I'm not sure I understand what you want. Perhaps you need a more intelligent guessing function on the client, possibly one that even consult a LDAP server? That could be added. However, there is a problem in authenticating and securing the LDAP connection, someone could mitm it and redirect your requests. Just rambling now... /Simon _______________________________________________ Help-shishi mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-shishi
