[31431] in Kerberos
Re: ldap principal aliases
daemon@ATHENA.MIT.EDU (Luke Howard)
Sun Aug 30 03:21:57 2009
Message-Id: <20AFB3A2-5464-46EB-934C-7750D79E184E@padl.com>
From: Luke Howard <lukeh@padl.com>
To: Chris <lists@deksai.com>
In-Reply-To: <20090829150119.GA26450@chris-laptop.a2hosting.com>
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Sun, 30 Aug 2009 09:21:22 +0200
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> Yep, sure enough. The version on wopr is pretty old.
>
> Are there any known scenarios where forcing canonicalization on the
> KDC
> would be bad? I was thinking about just removing the check for that
> flag from our KDCs, since there are quite a few servers that have the
> old libraries.
This will create problems in the AS path, because the client library
won't expect a different principal name. In the TGS path, I think Greg
is right (but if you're going to disable to check, I'd do it in
libkdb_ldap rather than the KDC).
-- Luke
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos