ldap backend issues

[Thomas Mueller]

> Thomas Mueller wrote:
>> first, the online documentation**, says to create new ACL's ending with
>> "by * none". this disabled the access for all except the two kerberos
>> users. after reading man slapd.access it may be better read "by *
>> break" to let slapd evaluate the next access statements?
> 
> I'd suggest to examine ACL issues by setting an appropriate log level
> and clarify what you find in the logs on the openldap-software mailing
> list.

this isn't acually a problem. just wanted to say tha if somebody like me 
copies the sample configuration in the krb5 documentation from 
web.mit.edu/kerberos and if the cn=Kerberos is below the "root" of the 
ldap directory one will disable all read access. Maybe the documentation 
should state, that one should read "man slapd.access" for the "by * none" 
meaning or change documentation to "by * break" to let slapd evaluate the 
further access rules. 


> 
>> second, i've configured the openldap like the sample krb5.conf file in
>> chapter 3.3.11. altough i've written the kdc and adm dn the kdc-server
>> and admin-server don't start without supplying "-x host=ldapi://<path>
>> -x binddn=cn=kdc-service,dc=test". is /etc/krb5.conf the right place?
>> don't i have to write some ldap config to /etc/krb5kdc/kdc.conf? "man
>> kdc.conf" doesn't reveal anything about "ldap".
> 
> I also had some problems. But you should really try to collect some
> Kerberos error messages and post them here. Also posting you krb5.conf
> and kdc.conf would help.

ok, i decided to set up a blank debian lenny virtual machine.. and it 
works now, i don't have to add "-x" flags to the init scripts. Think I 
had a typo somewhre. sorry for the noise. LDAP backend is working  like I 
expected.

So that leaves the last point: how to migrate the passwords from file 
based kerberos db to the ldap backend. Searching the net and newsgroups/
mailinglists didn't reaveal anything. Do i have missed something?

- Thomas