From 8bfba28196485236125ad363ed3b96c461025d94 Mon Sep 17 00:00:00 2001
From: Bill MacAllister <whm@dropbox.com>
Date: Mon, 2 May 2016 20:44:19 +0000
Subject: Update AD keytab policies

* Make sure userPrincipalName is created for all keytabs and use it to
  search for entries in AD.

* Allow the creation of any service principal.  This requires making
  sure that the cn used to create AD entries for service accounts not
  be any longer than 20 characters.
---
 perl/lib/Wallet/Config.pm | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

(limited to 'perl/lib/Wallet/Config.pm')

diff --git a/perl/lib/Wallet/Config.pm b/perl/lib/Wallet/Config.pm
index 2222aba..5d40978 100644
--- a/perl/lib/Wallet/Config.pm
+++ b/perl/lib/Wallet/Config.pm
@@ -463,6 +463,33 @@ default PATH.
 
 our $AD_MSKTUTIL = 'msktutil';
 
+=item AD_SERVICE_LIMIT
+
+Used to limit the number of iterations used in attempting to find a
+unique account name for service principals.  Defaults to 999.
+
+=cut
+
+our $AD_SERVICE_LIMIT = '999';
+
+=item AD_SERVICE_PREFIX
+
+For service principals the AD_SERVICE_PREFIX will be combined with the
+principal identifier to form the account name, i.e. the CN, used to
+store the keytab entry in the Active Directory.  Active Directory
+limits these CN's to a maximum of 20 characters.  If the resulting CN
+is greater than 20 characters the CN will be truncated and an integer
+will be appended to it.  The integer will be incremented until a
+unique CN is found.
+
+The AD_SERVICE_PREFIX is generally useful only prevent name collisions
+when the service keytabs are store in branch of the DIT that also
+contains other similar objects.
+
+=cut
+
+our $AD_SERVICE_PREFIX;
+
 =item AD_SERVER
 
 The hostname of the Active Directory Domain Controller.
-- 
cgit v1.2.3