openldap principal

Gerald (Jerry) Carter jerry at samba.org
Sat Jul 3 21:59:49 EDT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Sat, 3 Jul 2004, Frederic Medery wrote:

> But Why do I need lda/hostname at REALMS principal AND the rootdn in the
> kerberos DB

You don't need a rootdn if I understand you correctly.
technically a rooot dn is optional but if you need one
use the sasl identify format in slapd.conf

    rootdn     uid=<user>,cn=<realm>,cn=gssapi,cn=auth

When I reread you question it sounds like "why do I need a service
principal for the ldap server and a rootdn in slapd.conf?"  Is that
the Q?  The rootdn is slapd.conf and kerberos service principal
are unrelated.




cheers, jerry


> On 2-Jul-04, at 8:56 AM, Gerald (Jerry) Carter wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Thu, 1 Jul 2004, Frederic Medery wrote:
> >
> >> My question is : Do I have to create all the users principal or when I
> >> create a ldap user, do i have to create it inside kerberos of the ldap
> >> admin principal with create it for me ?
> >
> > You will need to be able to associate each user principal in the domain
> > with a uidNumber.  The easiest way I can think to explain it is
> > pam_krb5+nss_ldap.  So you will need the posixAccounts in the directory
> > service but not the userPassword (or authPassword) attributes.  The
> > authentication is handled via the KDC and the OS calls to getpwnam(),
> > et. al. go through NSS and out to LDAP.
> >
> > Hope this helps.  Also you might be interested in the Heimdal+LDAP
> > setup described at http://padl.com/esearch/Heimdal.html
> >
> >
> >
> >
> > cheers, jerry
> > -
> > ----------------------------------------------------------------------
> > Hewlett-Packard            ------------------------- http://www.hp.com
> > SAMBA Team                 ---------------------- http://www.samba.org
> > GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
> > "...a hundred billion castaways looking for a home." ----------- Sting
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.4 (GNU/Linux)
> > Comment: For info see http://quantumlab.net/pine_privacy_guard/
> >
> > iD8DBQFA5Vt8IR7qMdg1EfYRAoEEAJwIxWJHhpnrQ4lQvd9wrIt+W0+8oACeOMkz
> > vV3B5tYHwhGWf3gl5z/aVqI=
> > =fncH
> > -----END PGP SIGNATURE-----
> >
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

- ----------------------------------------------------------------------
Hewlett-Packard            ------------------------- http://www.hp.com
SAMBA Team                 ---------------------- http://www.samba.org
GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
"...a hundred billion castaways looking for a home." ----------- Sting
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQFA52SVIR7qMdg1EfYRAnOfAKCihyYXYuXPCvNS/W5otGIuANw1sQCeI4Op
ovrNYKMPJSesQz/qbmfCKh0=
=gZrQ
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list