[31450] in Kerberos
Re: ldap principal aliases
daemon@ATHENA.MIT.EDU (Chris)
Thu Sep 3 15:10:36 2009
X-Barracuda-Envelope-From: lists@deksai.com
Date: Thu, 3 Sep 2009 15:10:04 -0400
From: Chris <lists@deksai.com>
To: Luke Howard <lukeh@padl.com>
Message-ID: <20090903191003.GB20299@chris-laptop.a2hosting.com>
Mail-Followup-To: Luke Howard <lukeh@padl.com>,
Greg Hudson <ghudson@MIT.EDU>, kerberos@mit.edu
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <20AFB3A2-5464-46EB-934C-7750D79E184E@padl.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sun, Aug 30, 2009 at 09:21:22AM +0200, Luke Howard wrote:
> >Yep, sure enough. The version on wopr is pretty old.
> >
> >Are there any known scenarios where forcing canonicalization on
> >the KDC
> >would be bad? I was thinking about just removing the check for that
> >flag from our KDCs, since there are quite a few servers that have the
> >old libraries.
>
>
> This will create problems in the AS path, because the client library
> won't expect a different principal name. In the TGS path, I think
> Greg is right (but if you're going to disable to check, I'd do it in
> libkdb_ldap rather than the KDC).
>
> -- Luke
Thank you both for the input (and the patch). I apologize, I was out on
vacation for several days, so I didn't mean to ignore you!
I see that the patch made it into svn. I will apply it here, and let
you know if I run into any problems.
Chris
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos