[Freeipa-devel] [DESIGN] Kerberos principal alias handling
thierry bordaz
tbordaz at redhat.com
Mon Apr 11 14:29:15 UTC 2016
On 04/08/2016 05:10 PM, Martin Babinsky wrote:
> Hi list,
>
> I have put together a draft [1] outlining the effort to reimplement
> the handling of Kerberos principals in both backend and frontend
> layers of FreeIPA so that we may have multiple aliases per user, host
> or service and thus implement stuff like
> https://fedorahosted.org/freeipa/ticket/3961 and
> https://fedorahosted.org/freeipa/ticket/5413 .
>
> Since much of the plumbing was already implemented,[2] the document
> mainly describes what the patches do. Some parts required by other use
> cases may be missing so please point these out.
>
> I would also be happy if you could correct all factual inacurracies, I
> did research on this issue a long time ago and my knowledge turned a
> bit rusty.
>
> [1] http://www.freeipa.org/page/V4/Kerberos_principal_aliases
> [2]
> https://www.redhat.com/archives/freeipa-devel/2015-October/msg00048.html
>
Hi Martin,
Currently DS is enforcing that 'krbPrincipalName' and
'krbCanonicalName' are unique.
krbPrincipalName is caseExactIA5Match.
Is it possible to imagine entries having the same (IgnoreCase) alias:
dn: uid=user_one,cn=users,cn=accounts,<suffix>
...
krbCanonicalName: user_one@<realm>
krbPrincipalName: user_one@<realm>
krbPrincipalName: user_ONE@<realm>
dn: uid=user_two,cn=users,cn=accounts,<suffix>
...
krbCanonicalName: user_two@<realm>
krbPrincipalName: user_two@<realm>
krbPrincipalName: user_TWO@<realm>
krbPrincipalName: *user_**One*@<realm>
So KDB, searching as case insentive
"krbPrincipalName:caseIgnoreIA5Match:=USER_one@<realm>" will
retrieve user_one and user_two ?
thanks
thierry
|
|||
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20160411/b59fe245/attachment.htm>
More information about the Freeipa-devel
mailing list