From: Tom Yu Date: Tue, 14 Apr 2009 21:07:31 +0000 (+0000) Subject: pull up r22089 from trunk X-Git-Tag: krb5-1.7-beta1~43 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=b8f045b6044d9cf00b4b22a0f24830b36a2d40e3;p=krb5.git pull up r22089 from trunk ------------------------------------------------------------------------ r22089 | ghudson | 2009-03-15 00:15:16 -0400 (Sun, 15 Mar 2009) | 9 lines Changed paths: M /trunk/doc/admin.texinfo ticket: 6419 subject: Document alias support in LDAP back end tags: pullup target_version: 1.7 Add a few paragraphs to the LDAP instructions on creating aliases through direct manipulation of the LDAP data, and briefly explain when aliases will be used. ticket: 6419 version_fixed: 1.7 git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-7@22224 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 1ce335797..8f5e69e8f 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -4039,6 +4039,26 @@ file. Add krb5principalname to the indexes in slapd.conf to speed up the access. @end enumerate +With the LDAP back end it is possible to provide aliases for principal +entries. Currently we provide no mechanism provided for creating +aliases, so it must be done by direct manipulation of the LDAP +entries. + +An entry with aliases contains multiple values of the krbPrincipalName +attribute. Since LDAP attribute values are not ordered, it is +necessary to specify which principal name is canonical, by using the +krbCanonicalName attribute. Therefore, to create aliases for an +entry, first set the krbCanonicalName attribute of the entry to the +canonical principal name (which should be identical to the +pre-existing krbPrincipalName value), and then add additional +krbPrincipalName attributes for the aliases. + +Principal aliases are only returned by the KDC when the client +requests canonicalization. Canonicalization is normally requested for +service principals; for client principals, an explicit flag is often +required (e.g. @code{kinit -C}) and canonicalization is only performed +for initial ticket requests. + @node Application Servers, Backups of Secure Hosts, Configuring Kerberos with OpenLDAP back-end, Top @chapter Application Servers