idmapd umich_ldap bug
Kevin Coffman
kwc at citi.umich.edu
Mon Mar 17 11:59:09 EDT 2008
On Mon, Mar 17, 2008 at 11:39 AM, Marek Wróbel <marek.j.wrobel at gmail.com> wrote:
> On Mon, Mar 17, 2008 at 2:35 PM, Kevin Coffman <kwc at citi.umich.edu> wrote:
> >
> > 2008/3/14 Marek Wróbel <marek.j.wrobel at gmail.com>:
> >
> > > I also suggest to change umich_ldap behavior in a way that would allow
> >
> > > multiple GSSAuthName attributes. It would be useful with several
> > > authentication mechanisms used concurrently - every user would have
> both
> > > a Kerberos principal name and a PKI DN.
> >
> > This is already the case. Is there something which leads you to
> > believe otherwise?
>
> So how do I configure umich_ldap when each user has Kerberos principal name
> in krbPrincipalName attribute and PKI DN in pkiDN attribute in LDAP database
> ?
>
> Marek Wróbel
Ah. I see what you are talking about now. We map GSSPrincipalAttr to
our GSSAuthName ldap attribute, which can hold multiple principal name
strings, or DN name strings -- described under "UMICH Schema" here:
http://www.citi.umich.edu/projects/nfsv4/crossrealm/libnfsidmap_config.html
If you have suggestions (or patches ;-)) on how to map
GSSPrincipalAttr to multiple ldap attributes, I'd appreciate it.
K.C.
More information about the NFSv4
mailing list