replacing Heimdal with MIT Kerberos, and Kerberos key attributes in LDAP back-end

Bart Van den Broeck Bart.VandenBroeck at
Thu Jan 13 17:09:38 EST 2011

Hi all

Since we are migrating from Debian to RedHat, we are considering 
replacing our Heimdal Kerberos server (with LDAP back-end) with an MIT 
Kerberos server (again with LDAP back-end) since RedHat packages are only 
available for MIT Kerberos.  In order to make this migration/upgrade as 
transparent as possible for our users, we want to convert all the 
necessary info in the Heimdal back-end to the MIT back-end.  Are there 
any pointers available for this kind of operation?  E.g. things like 
conversion tables mapping the corresponding Kerberos-specific LDAP 
attributes?  Or even scripts?

I'm especially looking at the Kerberos key attributes, i.e.
- Heimdal: krb5Key
- MIT: krbPrincipalKey
Is it possible to convert the former into the latter?  Is there any code 
available for this operation?  If not, we would have to require all our 
users to change their passwords at the same time, which is not very 

Thanks in advance

More information about the Kerberos mailing list