kdb5_ldap_util does not read kdc.conf

Mark Pröhl mark at mproehl.net
Sat Sep 25 04:32:24 EDT 2010


On 09/22/2010 11:08 PM, Greg Hudson wrote:
> On Wed, 2010-09-22 at 16:59 -0400, Tom Parker wrote:
>    
>> Is this a bug?  Or am I wrong in my assumptions about the two files.
>>      
> Without actually trying to duplicate your behavior, just looking at the
> source code, it looks like a bug in the way kdb5_ldap_util initializes
> its krb5 context.  I'm surprised it hasn't come up before.  It should be
> easy to fix.
>
> A workaround is to set
> KRB5_CONFIG=/etc/krb5.conf:/var/lib/kerberos/krb5kdc/kdc.conf while
> running kdb5_ldap_util.
>
>
> ________________________________________________
> Kerberos mailing listKerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>    

I wonder why the KDC LDAP parameters are only described in krb5.conf(5) 
and not in kdc.conf(5).
Furthermore, the chapter "Configuring Kerberos with OpenLDAP back-end" 
in the Administrator's Guide does not mention the file kdc.conf at all. 
Therefore, I always thought that configuring krb5.conf is the only 
supported way of setting up the LDAP backend.

By applying the described workaround for kdb5_ldap_util 
(KRB5_CONFIG=...kdc.conf) it becomes possible to do a strict separation 
of the meaning of the two files: krb5.conf configures the Kerberos 
library and kdc.conf is for KDC configuration. (Which is what I would 
like to have.)

So my question is: is the configuration of KDC LDAP parameters in 
kdc.conf supported by MIT?
(And should the documentation be fixed?)

Regards,

Mark Pröhl




More information about the Kerberos mailing list