Renaming a Kerberos realm (all principal info stored in LDAP DIT)
Holger Rauch
holger.rauch at empic.de
Tue Jun 15 05:39:08 EDT 2010
Hi,
I would like to know whether it's possible to rename a Kerberos realm
when all Kerberos related info is stored in an LDAP DIT (OpenLDAP and
MIT Kerberos running an Debian Lenny AMD64)?
Reason for this is that I will move my KDC to a new internal subnet
(having a new internal DNS domain) and I would like my Kerberos realm
to be "in sync" with the new DNS domain name.
The Kerberos related info is stored in an "ou" (organizationUnit)
subtree named "krb5" (initially populated with kdb5_ldap_util).
Is it "safe" to
- shutdown both KDC and kadmin server
/etc/init.d/krb5-kdc stop
/etc/init.d/krb5-admin-server stop
- shutdown OpenLDAP (/etc/init.d/slapd stop)
- dump the DIT (slpcat -l <file_name>)
- open DIT file in editor and change all occurrences from
MY.OLD.REALM to MY.NEW.REALM
- modify the realm name in /etc/krb5.conf and /etc/krb5kdc/kdc.conf
accordingly
- delete old LDAP databases
- start OpenLDAP in order to obtain a fresh database
(/etc/init.d/slapd start)
- shutdown OpenLDAP again (/etc/init.d/slapd stop)
- add DIT again (slapadd -l <file_name>)
- restart OpenLDAP (/etc/init.d/slapd start)
or did I forget any relevant step(s)/substep(s)?
Thanks in advance for sharing your thoughts & kind regards,
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20100615/529bb156/attachment.bin
More information about the Kerberos
mailing list