Reusing existing people-entries for the LDAP-backend - Kerberos

This is a discussion on Reusing existing people-entries for the LDAP-backend - Kerberos ; Using the two documents that I linked in today, http://web.mit.edu/kerberos/krb5-1.6...P-back_002dend http://blogs.sun.com/wfiveash/entry/...to_configuring I managed to get Kerberos to store it's database in LDAP. Only issue that I've encountered: I want to reuse the existing entries in our ou=people tree, and in ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Reusing existing people-entries for the LDAP-backend

  1. Reusing existing people-entries for the LDAP-backend

    Using the two documents that I linked in
    today,
    http://web.mit.edu/kerberos/krb5-1.6...P-back_002dend
    http://blogs.sun.com/wfiveash/entry/...to_configuring
    I managed to get Kerberos to store it's database in LDAP.

    Only issue that I've encountered:
    I want to reuse the existing entries in our ou=people tree, and in order to
    do so I can of course use
    kdb5_ldap_util [...] modify -subtrees 'ou=people,[...]'
    to get Kerberos to look for the krbPrincipalName in that tree.

    But if I now add a principal by first setting the krbPrincipalName
    of the user in ou=people, and then issuing
    kadmin.local -q 'addprinc joeuser'
    the additional attributes (e.g. krbPrincipalKey) are still stored in
    the Kerberos container tree.

    I tried to use ou=people as container tree by issuing
    kdb5_ldap_util [...] modify -containerref 'ou=people,[...]'
    but then addprinc complains:
    add_principal: Principal or policy already exists while creating
    "joeuser@[...].COM".

    Is there a way to get all data into the people-tree?
    I'm not too afraid to hack around in plugins/kdb/ldap/ if necessary,
    but would be glad if you could give me some hints what I'd need
    to do there

    tia,
    --
    Infineon Technologies IT-Services GmbH Martin.Schuster1@infineon.com
    Lakeside B05, 9020 Klagenfurt, Austria Martin Schuster
    FB: LG Klagenfurt, FN 246787y +43 5 1777 3517

  2. Re: Reusing existing people-entries for the LDAP-backend

    Hi,

    Am Mittwoch, 14. Mai 2008 schrieb Martin Schuster:
    > Using the two documents that I linked in
    > today,
    > http://web.mit.edu/kerberos/krb5-1.6...n.html#Configu
    >ring-Kerberos-with-OpenLDAP-back_002dend
    > http://blogs.sun.com/wfiveash/entry/...to_configuring I
    > managed to get Kerberos to store it's database in LDAP.
    >
    > Only issue that I've encountered:
    > I want to reuse the existing entries in our ou=people tree, and in order to
    > do so I can of course use
    > kdb5_ldap_util [...] modify -subtrees 'ou=people,[...]'
    > to get Kerberos to look for the krbPrincipalName in that tree.
    >
    > But if I now add a principal by first setting the krbPrincipalName
    > of the user in ou=people, and then issuing
    > kadmin.local -q 'addprinc joeuser'
    > the additional attributes (e.g. krbPrincipalKey) are still stored in
    > the Kerberos container tree.


    You have to tell addprinc where to store this user by using

    addprinc -x dn= joeuser

    See also man kadmin.

    > I tried to use ou=people as container tree by issuing
    > kdb5_ldap_util [...] modify -containerref 'ou=people,[...]'
    > but then addprinc complains:
    > add_principal: Principal or policy already exists while creating
    > "joeuser@[...].COM".
    >
    > Is there a way to get all data into the people-tree?
    > I'm not too afraid to hack around in plugins/kdb/ldap/ if necessary,
    > but would be glad if you could give me some hints what I'd need
    > to do there
    >
    > tia,




    --
    MFG

    Michael Calmer

    --------------------------------------------------------------------------
    Michael Calmer
    SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
    T: +49 (0) 911 74053 0
    F: +49 (0) 911 74053575 - e-mail: Michael.Calmer@suse.com
    --------------------------------------------------------------------------
    SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)


  3. Re: Reusing existing people-entries for the LDAP-backend

    Michael Calmer wrote:
    > Am Mittwoch, 14. Mai 2008 schrieb Martin Schuster:
    >> [...]
    >> But if I now add a principal by first setting the krbPrincipalName
    >> of the user in ou=people, and then issuing
    >> kadmin.local -q 'addprinc joeuser'
    >> the additional attributes (e.g. krbPrincipalKey) are still stored in
    >> the Kerberos container tree.

    >
    > You have to tell addprinc where to store this user by using
    > addprinc -x dn= joeuser
    >

    Thanks, that did the trick!

    regards,
    --
    Infineon Technologies IT-Services GmbH Martin.Schuster1@infineon.com
    Lakeside B05, 9020 Klagenfurt, Austria Martin Schuster
    FB: LG Klagenfurt, FN 246787y +43 5 1777 3517

+ Reply to Thread