diff options
author | Greg Hudson <ghudson@mit.edu> | 2009-03-15 04:15:16 +0000 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2009-03-15 04:15:16 +0000 |
commit | 51e4d988e508897bb9255161838df86ecab3f8eb (patch) | |
tree | 872e7fe574f9fcdd2e82ed6ac485dd641217bd9e /doc | |
parent | 4125cc91be0ab7d4759492efbbeff4da73903ba8 (diff) | |
download | krb5-51e4d988e508897bb9255161838df86ecab3f8eb.zip krb5-51e4d988e508897bb9255161838df86ecab3f8eb.tar.gz krb5-51e4d988e508897bb9255161838df86ecab3f8eb.tar.bz2 |
Document alias support in LDAP back end
Add a few paragraphs to the LDAP instructions on creating aliases
through direct manipulation of the LDAP data, and briefly explain when
aliases will be used.
ticket: 6419
tags: pullup
target_version: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22089 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'doc')
-rw-r--r-- | doc/admin.texinfo | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 1ce3357..8f5e69e 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -4039,6 +4039,26 @@ file. Add krb5principalname to the indexes in slapd.conf to speed up the access. @end enumerate +With the LDAP back end it is possible to provide aliases for principal +entries. Currently we provide no mechanism provided for creating +aliases, so it must be done by direct manipulation of the LDAP +entries. + +An entry with aliases contains multiple values of the krbPrincipalName +attribute. Since LDAP attribute values are not ordered, it is +necessary to specify which principal name is canonical, by using the +krbCanonicalName attribute. Therefore, to create aliases for an +entry, first set the krbCanonicalName attribute of the entry to the +canonical principal name (which should be identical to the +pre-existing krbPrincipalName value), and then add additional +krbPrincipalName attributes for the aliases. + +Principal aliases are only returned by the KDC when the client +requests canonicalization. Canonicalization is normally requested for +service principals; for client principals, an explicit flag is often +required (e.g. @code{kinit -C}) and canonicalization is only performed +for initial ticket requests. + @node Application Servers, Backups of Secure Hosts, Configuring Kerberos with OpenLDAP back-end, Top @chapter Application Servers |