Convert ldap user principal

Raffael Sahli public at raffaelsahli.com
Fri Feb 10 09:09:10 EST 2012 

Hi


Yes maybe I can do it with a script.... or with kdb5_ldap_util modify, 
I'll try it.


On 02/09/2012 10:10 PM, Daniel Savard wrote:
> Why not simply use the SASL authentication with GSSAPI and Mapping
> authentication identities?
? That was not really my question ;)


But exactly SASL is my problem. I work with SASL passthrough on our 
OpenLDAP Server,
but {SASL} is not working if the kerberos attributes are on the same 
ldap object as you authenticate
(Some lock from the OpenLDAP Server....maybe).

See problem on OpenLDAP list:
http://www.openldap.org/lists/openldap-technical/201201/msg00047.html


If the principal is a separate object on the ldap server, SASL 
passthrough is working.



>
> http://www.openldap.org/doc/admin24/sasl.html#Mapping%20Authentication%20Identities
>
> -----------------
> Daniel Savard
>
>
> 2012/2/9 Chris Hecker<checker at d6.com>
>
>> You can do this pretty trivially with pure ldap, and something like perl
>> or your favorite scripting language (with an ldap api), if I understand
>> what you're trying to do.  The krb5 stuff in the ldap entries are just
>> regular ldap attributes, I've mucked with them manually in ldapvi
>> before, moving krb attributes onto a separately created ldap entry, for
>> example.  As long as the krb5 username and realm aren't changing and you
>> make sure you get everything, you should have no problems.
>>
>> Chris
>>
>> On 2012/01/26 11:43, Raffael Sahli wrote:
>>> Hi
>>>
>>> How can I convert a principal which was created with -x
>>> dn="cn=myuser,dc=exam,dc=com" on a ldap backend
>>> into a normal principal located under
>>> krbPrincipalName=myuser at MYREALM.COM,cn=MYREALM.COM,dc=exam,dc=com.
>>> I have to convert all my user principals to "normal" principals.
>>>
>>> Thanks for your help
>>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


-- 
Raffael Sahli
public at raffaelsahli.com

More information about the Kerberos mailing list