Migrating database to LDAP (kldap)
Simo Sorce
simo at redhat.com
Mon Aug 29 09:39:54 EDT 2011
On Mon, 2011-08-29 at 15:22 +0200, Andreas Ntaflos wrote:
[..]
> Simo,
>
> Thank you for the hint, I was indeed able to use kdb5_util to dump the
> old database and restore it into the LDAP backend, after some initial
> problems.
>
> Here's what I did:
>
> * Dump the current database: kdb5_util dump kdb5-current.dump
> * Update /etc/krb5.conf to reflect the LDAP backend settings (I used
> [1] as guide)
> * Backup /etc/krb5kdc, especially the stash (/etc/krb5kdc/stash)
> containing the master key
> * Create a new realm using kdb5_ldap_util as per [1], i.e.
> "kdb5_ldap_util create"
> * This creates a new master key and stash that will have to be
> replaced by the old stash after importing the database.
> * Create the stash for the service object as per [1], i.e.
> "kdb5_ldap_util stashsrvpw"
> * Load the database dump: kdb5_util load -update kdb5-current.dump
> * Replace the newly created master key stash (/etc/krb5kdc/stash) with
> the backup
> * Restart the KDC and admin server
>
> The database, database dump and master key obviously are very tightly
> coupled and creating a new realm creates a new master key. Is there
> another way this procedure should have been done, one that doesn't
> require manually copying key stashes around?
During dump you can convert the db to use a different hash file. But
that's possible only at dump apparently. So you'd have to change order
of operations somewhat.
I think there is also the option to tell kdb5_ldap_util to use an
existing stash file when you create the db, but I am not 100% sure, it's
been some time.
> Anyway, this seems to be working fine so far, thanks again!
Glad to hear that.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Kerberos
mailing list