On Mon, Dec 17, 2012 at 05:20:23PM -0800, Jim Shi wrote: > > Hi, I checked the KDC source code, it seems to have code to > support database-based mapping of principal names to unix account > names. > But I can not any document to configure KDC to use it. Where > can I find the information? Can someone please tell me how to > configure KDC to use database mapping as well as to setup the > mapping database?
If you are talking about the ANAME_DB logic, that's in the client libraries not the KDCs. There was a discussion about it a while ago http://mailman.mit.edu/pipermail/krbdev/2010-September/009417.html I don't think that the patch proposed was integrated but I may have missed it. In the current development sources, Heimdal has plugin architecture for both krb5_aname_to_lname() and krb5_kuserok() which can consult databased, though, if that is an option. You can use CDB for krb5_aname_to_lname() by using the following plugin: https://github.com/elric1/h5l_an2ln_cdb This will provide a simple mapping from authenticated names (i.e. Kerberos principals) to local names (i.e. UNIX accounts). -- Roland Dowdeswell http://Imrryr.ORG/~elric/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
