Reusing existing people-entries for the LDAP-backend

Michael Calmer mc at suse.de
Wed May 14 11:12:30 EDT 2008


Hi,

Am Mittwoch, 14. Mai 2008 schrieb Martin Schuster:
> Using the two documents that I linked in
> <g0e35v$h19$1 at athen03.muc.infineon.com> today,
> http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configu
>ring-Kerberos-with-OpenLDAP-back_002dend
> http://blogs.sun.com/wfiveash/entry/the_rough_guide_to_configuring I
> managed to get Kerberos to store it's database in LDAP.
>
> Only issue that I've encountered:
> I want to reuse the existing entries in our ou=people tree, and in order to
> do so I can of course use
> kdb5_ldap_util [...] modify -subtrees 'ou=people,[...]'
> to get Kerberos to look for the krbPrincipalName in that tree.
>
> But if I now add a principal by first setting the krbPrincipalName
> of the user in ou=people, and then issuing
> kadmin.local -q 'addprinc joeuser'
> the additional attributes (e.g. krbPrincipalKey) are still stored in
> the Kerberos container tree.

You have to tell addprinc where to store this user by using 

  addprinc -x dn=<dn to user object> joeuser

See also man kadmin.

> I tried to use ou=people as container tree by issuing
> kdb5_ldap_util [...] modify -containerref 'ou=people,[...]'
> but then addprinc complains:
> add_principal: Principal or policy already exists while creating
> "joeuser@[...].COM".
>
> Is there a way to get all data into the people-tree?
> I'm not too afraid to hack around in plugins/kdb/ldap/ if necessary,
> but would be glad if you could give me some hints what I'd need
> to do there :)
>
> tia,



-- 
MFG

	Michael Calmer

--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX Products GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575  - e-mail: Michael.Calmer at suse.com
--------------------------------------------------------------------------
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)




More information about the Kerberos mailing list