Convert ldap user principal
Mark Pröhl
mark at mproehl.net
Thu Feb 9 13:43:02 EST 2012
Am 09.02.2012 02:35, schrieb Ken Dreyer:
> On Thu, Jan 26, 2012 at 12:43 PM, Raffael Sahli<public at raffaelsahli.com> wrote:
>> Hi
>>
>> How can I convert a principal which was created with -x
>> dn="cn=myuser,dc=exam,dc=com" on a ldap backend
>> into a normal principal located under
>> krbPrincipalName=myuser at MYREALM.COM,cn=MYREALM.COM,dc=exam,dc=com.
>> I have to convert all my user principals to "normal" principals.
>
> I'm a newbie to using LDAP as the krb5 backend... but I am thinking
> that this may not be possible. From what I've seen you must have two
> LDAP DNs for each user. I'd be happy to be corrected, because it would
> certainly make things simpler.
>
you can use the -x switch to extend an existing LDAP entry with kerberos
attributes. Example:
kadmin> add_principal -x dn="cn=John Doe,ou=people,dc=example,dc=com"
jdoe
To make that work you need to configure additional sub trees with e.g.:
kdb5_ldap_util modify -D <LDAP Amin DN> -r EXAMPLE.COM -subtrees
ou=people,dc=example,dc=com
In this way you can produce unified LDAP entries with kerberos principal
functionality. The initial question was how to separate those entries in
two. I think this can only be done directly by LDAP operations: create
new LDAP entries for each principal, delete the kerberos related
attributes from the existing user entries and add them to the newly
created kerberos principal entry. I did not check if that really works
--
Mark Pröhl
mark at mproehl.net
www.kerberos-buch.de
More information about the Kerberos
mailing list