<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <br>
    <br>
    <div class="moz-cite-prefix">On 04/08/2016 05:10 PM, Martin Babinsky
      wrote:<br>
    </div>
    <blockquote cite="mid:5707C9F2.8060903@redhat.com" type="cite">Hi
      list,
      <br>
      <br>
      I have put together a draft [1] outlining the effort to
      reimplement the handling of Kerberos principals in both backend
      and frontend layers of FreeIPA so that we may have multiple
      aliases per user, host or service and thus implement stuff like
      <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/3961">https://fedorahosted.org/freeipa/ticket/3961</a> and
      <a class="moz-txt-link-freetext" href="https://fedorahosted.org/freeipa/ticket/5413">https://fedorahosted.org/freeipa/ticket/5413</a> .
      <br>
      <br>
      Since much of the plumbing was already implemented,[2] the
      document mainly describes what the patches do. Some parts required
      by other use cases may be missing so please point these out.
      <br>
      <br>
      I would also be happy if you could correct all factual
      inacurracies, I did research on this issue a long time ago and my
      knowledge turned a bit rusty.
      <br>
      <br>
      [1] <a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/V4/Kerberos_principal_aliases">http://www.freeipa.org/page/V4/Kerberos_principal_aliases</a>
      <br>
      [2]
      <a class="moz-txt-link-freetext" href="https://www.redhat.com/archives/freeipa-devel/2015-October/msg00048.html">https://www.redhat.com/archives/freeipa-devel/2015-October/msg00048.html</a>
      <br>
      <br>
    </blockquote>
    <font face="Times New Roman, Times, serif">Hi Martin,<br>
      <br>
    </font>
    <blockquote><font face="Times New Roman, Times, serif">Currently DS
        is enforcing that 'krbPrincipalName' and 'krbCanonicalName' are
        unique.<br>
        krbPrincipalName is caseExactIA5Match.<br>
        Is it possible to imagine entries having the same (IgnoreCase)
        alias:<br>
      </font>
      <blockquote><tt>dn: uid=user_one,cn=users,cn=accounts,<suffix><br>
          ...<br>
          krbCanonicalName: user_one@<realm><br>
          krbPrincipalName: user_one@<realm><br>
          krbPrincipalName: user_ONE@<realm><br>
          <br>
          dn: uid=user_two,</tt><tt>cn=users,cn=accounts,<suffix><br>
          ...<br>
          krbCanonicalName: user_two@<realm><br>
          krbPrincipalName: user_two@<realm><br>
          krbPrincipalName: user_TWO@<realm><br>
        </tt><tt>krbPrincipalName: <b>user_</b><b>One</b>@<realm></tt><br>
        <br>
      </blockquote>
      <font face="Times New Roman, Times, serif">So KDB, searching as
        case insentive
        "krbPrincipalName:caseIgnoreIA5Match:=USER_one@<realm>"
        will retrieve user_one and user_two ?<br>
        <br>
        thanks<br>
        thierry<br>
      </font><font face="Times New Roman, Times, serif"><code><font
            face="Times New Roman, Times, serif"><br>
          </font></code><font face="Times New Roman, Times, serif"><code></code></font></font></blockquote>
  </body>
</html>