(Reposted to the list rather than just to Michael, sorry about that.) On Wed, Feb 11 2015 at 16:24:09 +0100, Michael Ströder scribbled in "Re: LDAP searches for Kerberos entries": > Simo Sorce wrote: > > On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote: > >> HI! > >> > >> Maybe some of you are using MIT Kerberos with LDAP backend. > >> > >> For creating a decent web2ldap search form template for the > >> Kerberos schema I'd like to know which kind of searches you > >> usually do when looking into your backend via LDAP. > >> > >> Which attributes are you usually using in the search? Which > >> filters do you hack on command-line? > >> > >> Well, 'krbPrincipalName' will of course be the most used search > >> attribute. The default equality matching rule is > >> caseExactIA5Match, so for convenience I'd add something to use > >> caseIgnoreIA5Match without the user having to select that > >> himself. > > > > You should also search on KrbCanonicalName if you need exact > > matching, krbPrincipalName is multivalued and may contain aliases. > > Thanks, added it. > > What about 'krbPrincipalAliases'? Is that actually used?
That depends on whether you're using MIT or Heimdal for your your KDCs. IIRC krbPrincipalAliases refers to a feathure of Heimdal's implementation that MIT doesn't have, namely the ability for a principal to have one or more aliases (so host/foo.example.com could have also have HTTP/foo.example.com and ldap/foo.example.com all refer to the same principal in the KDB) If you're using an MIT realm, you probably don't need it. Cheers. Dameon. -- ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <>< Dameon Wagner, Systems Development and Support Team IT Services, University of Oxford ><> ><> ><> ><> ><> ><> ooOoo <>< <>< <>< <>< <>< <><
