(Reposted to the list rather than just to Michael, sorry about that.)
On Wed, Feb 11 2015 at 16:24:09 +0100, Michael Ströder scribbled in "Re: LDAP searches for Kerberos entries":
Simo Sorce wrote:
On Wed, 2015-02-04 at 12:24 +0100, Michael Ströder wrote:
HI!
Maybe some of you are using MIT Kerberos with LDAP backend.
For creating a decent web2ldap search form template for the Kerberos schema I'd like to know which kind of searches you usually do when looking into your backend via LDAP.
Which attributes are you usually using in the search? Which filters do you hack on command-line?
Well, 'krbPrincipalName' will of course be the most used search attribute. The default equality matching rule is caseExactIA5Match, so for convenience I'd add something to use caseIgnoreIA5Match without the user having to select that himself.
You should also search on KrbCanonicalName if you need exact matching, krbPrincipalName is multivalued and may contain aliases.
Thanks, added it.
What about 'krbPrincipalAliases'? Is that actually used?
That depends on whether you're using MIT or Heimdal for your your KDCs.
IIRC krbPrincipalAliases refers to a feathure of Heimdal's implementation that MIT doesn't have, namely the ability for a principal to have one or more aliases (so host/foo.example.com could have also have HTTP/foo.example.com and ldap/foo.example.com all refer to the same principal in the KDB)
If you're using an MIT realm, you probably don't need it.
Cheers.
Dameon.