Return-Path: Received: from mail.painless-security.com (mail.painless-security.com [23.30.188.241]) by krbdev.mit.edu (Postfix) with ESMTPS id 298FA3F848 for ; Tue, 3 Feb 2015 14:31:51 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by mail.painless-security.com (Postfix) with ESMTP id 007A7205BC for ; Tue, 3 Feb 2015 14:31:47 -0500 (EST) Received: from mail.painless-security.com ([127.0.0.1]) by localhost (mail.suchdamage.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bgx3raB6vBC7 for ; Tue, 3 Feb 2015 14:31:47 -0500 (EST) Received: from carter-zimmerman.suchdamage.org (unknown [10.1.10.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.painless-security.com (Postfix) with ESMTPS for ; Tue, 3 Feb 2015 14:31:47 -0500 (EST) Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id 3ABB981C51; Tue, 3 Feb 2015 14:31:49 -0500 (EST) From: Sam Hartman To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #8065] Renaming principals with LDAP KDB deletes the principal References: Date: Tue, 03 Feb 2015 14:31:49 -0500 In-Reply-To: (Greg Hudson via's message of "Tue, 3 Feb 2015 14:12:49 -0500 (EST)") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain RT-Send-Cc: X-RT-Original-Encoding: iso-8859-1 Content-Length: 963 >>>>> "Greg" == Greg Hudson via RT writes: Greg> 2. When the LDAP back end loads the source principal entry, it Greg> inserts a tl-data value of type KDB_TL_USERDN containing the Greg> DN. When we put the principal entry, this tl-data value is Greg> extracted and used as the DN to use. We don't want that to Greg> happen; we want the KDB module to construct a new DN based on Greg> the new principal name. I'm not sure that's true. In my directory I have principals stored inside account objects. For example I have uid=hartmans,ou=users,dc=painless-security,dc=com. I really want the principal to stay there even if I rename it. If I'm also renaming the account I'll do that with an ldap operation and that will rename the object. Yes, the principal also needs to get renamed, but I'd be really annoyed if renaming a principal moved a principal contained in an account object out of that object. --Sam