[31432] in Kerberos
Re: ldap principal aliases
daemon@ATHENA.MIT.EDU (Luke Howard)
Sun Aug 30 04:15:36 2009
Message-Id: <8A1ED1FA-7E96-4172-882C-FE8C18D25192@padl.com>
From: Luke Howard <lukeh@padl.com>
To: "kerberos@MIT.EDU" <kerberos@mit.edu>
In-Reply-To: <20AFB3A2-5464-46EB-934C-7750D79E184E@padl.com>
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Sun, 30 Aug 2009 10:14:40 +0200
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
> This will create problems in the AS path, because the client library
> won't expect a different principal name. In the TGS path, I think Greg
> is right (but if you're going to disable to check, I'd do it in
> libkdb_ldap rather than the KDC).
In the TGS path, it's fine a backend to always return aliases
regardless of the setting of the canonicalize flag (after all, they
are indistinguishable to the service from genuine principals). IIRC
the DSfW backend does this.
-- Luke
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
