Migrating database to LDAP (kldap)

Andreas Ntaflos daff at pseudoterminal.org
Mon Aug 29 09:22:07 EDT 2011 

On 28/08/11 17:49, Simo Sorce wrote:
> On Sun, 2011-08-28 at 01:08 +0200, Andreas Ntaflos wrote:
>> I was now wondering if it is possible to migrate the current Kerberos
>> database to LDAP (with the kldap driver), without having to recreate the
>> whole realm and every principal and reset every password. It is also
>> important that saslauthd continues working.
>>
>> Is there a migration strategy or best practice I can follow? Or is the
>> whole thing impossible to do?
> 
> You can use kdb5_util to dump the database and then later reload it in
> LDAP. I tried only with LDAP->LDAP but I don't think you should have any
> issue dumping a db one and the loading it back in LDAP as long as the
> LDAP server is correctly configured and the kdc user has enough
> permission to write the data.

Simo,

Thank you for the hint, I was indeed able to use kdb5_util to dump the
old database and restore it into the LDAP backend, after some initial
problems.

Here's what I did:

 * Dump the current database: kdb5_util dump kdb5-current.dump
 * Update /etc/krb5.conf to reflect the LDAP backend settings (I used
[1] as guide)
 * Backup /etc/krb5kdc, especially the stash (/etc/krb5kdc/stash)
containing the master key
 * Create a new realm using kdb5_ldap_util as per [1], i.e.
"kdb5_ldap_util create"
  * This creates a new master key and stash that will have to be
replaced by the old stash after importing the database.
 * Create the stash for the service object as per [1], i.e.
"kdb5_ldap_util stashsrvpw"
 * Load the database dump: kdb5_util load -update kdb5-current.dump
 * Replace the newly created master key stash (/etc/krb5kdc/stash) with
the backup
 * Restart the KDC and admin server

The database, database dump and master key obviously are very tightly
coupled and creating a new realm creates a new master key. Is there
another way this procedure should have been done, one that doesn't
require manually copying key stashes around?

Anyway, this seems to be working fine so far, thanks again!

Andreas

[1] https://help.ubuntu.com/11.04/serverguide/C/kerberos-ldap.html

More information about the Kerberos mailing list