Let me see if I understand. I've already created the principal for my account with:
addprinc -x dn=uid=cory,ou=People,dc=cory,dc=albrecht,dc=name cory So now to that dn I need to add the krbCanonicalName attribute. When I create a new principal, say "cory/root", I can just manually add another krbPrincipalName attribute with it to the dn=uid=cory,... object? And something similar for the machine principals? On Fri, Aug 21, 2015 at 11:49 PM, Greg Hudson <ghud...@mit.edu> wrote: > On 08/21/2015 12:35 AM, Cory Albrecht wrote: > > I just recently redid my krb5 set up to use LDAP as backend (for less > > hassle replication since the LDAP servers were already doing that) and I > > was wondering what the best/easiest ways were to deal with cases where > > multiple kerberos principals would be logically associated with a single > > account/LDAP object. > > We have support for this in the LDAP KDB module, but not in the > administrative tools, and it isn't documented. After creating the > principal with the canonical name, you need to add a krbCanonicalName > attribute for the canonical name (with the same value as the already > existing krbPrincipalName attribute), and then add additional > krbPrincipalName attributes. > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos