our $AD_MSKTUTIL = 'msktutil';
+=item AD_SERVICE_LENGTH
+
+The maximum length of a unique identifier, samAccountName, for Active
+Directory keytab objects. If the indentifier exceeds this length then
+it will be trunciated and an integer will be appended to the end of
+the identifier. This parameter is here in hopes that at some point
+in the future Microsoft will remove the limitation.
+
+=cut
+
+our $AD_SERVICE_LENGTH = '20';
+
=item AD_SERVICE_LIMIT
Used to limit the number of iterations used in attempting to find a
-unique account name for service principals. Defaults to 999.
+unique account name for principals. Defaults to 999.
=cut
$this_id =~ s/.*?=//xms;
} else {
my ($this_type, $this_cn) = split '/', $this_princ, 2;
- if ($Wallet::Config::AD_SERVICE_PREFIX && $this_type = 'service') {
- $this_cn = $Wallet::Config::AD_SERVICE_PREFIX . $this_cn;
+ my $max_len;
+ if ($this_type eq 'host') {
+ $max_len = $Wallet::Config::AD_SERVICE_LENGTH - 1;
+ } else {
+ $max_len = $Wallet::Config::AD_SERVICE_LENGTH;
+ if ($Wallet::Config::AD_SERVICE_PREFIX) {
+ $this_cn = $Wallet::Config::AD_SERVICE_PREFIX . $this_cn;
+ }
}
my $loop_limit = $Wallet::Config::AD_SERVICE_LIMIT;
- if (length($this_cn)>20) {
+ if (length($this_cn)>$max_len) {
my $cnt = 0;
my $this_dn;
my $suffix_size = length("$loop_limit");
- my $this_prefix = substr($this_cn, 0, 20-$suffix_size);
+ my $this_prefix = substr($this_cn, 0, $max_len - $suffix_size);
my $this_format = "%0${suffix_size}i";
while ($cnt<$loop_limit) {
$this_cn = $this_prefix . sprintf($this_format, $cnt);
projects / kerberos / wallet.git / commitdiff