krb5/ldap troubles
Greg Hudson
ghudson at MIT.EDU
Thu Jun 13 15:01:32 EDT 2013
On 06/13/2013 01:05 PM, Berthold Cogel wrote:
>> We fixed (1) in 1.9 and will remove (2) in 1.12. If you cannot upgrade
>> to 1.9 or later, you should avoid the use of password policy objects.
> How can I do this? I can remove a policy in kadmin, but what happens to
> the principals associated with the policy?
krb5 1.6 doesn't let you remove a policy until no principals are
associated with it. (krb5 1.12 will allow dangling policy references,
but that doesn't help you.) So you'll have to remove those first,
probably using some kind of script given the number of users you have.
Removing the krbPwdPolicyReference attributes from the principal objects
in LDAP will suffice, if you have better LDAP scripting tools than
kadmin scripting tools.
More information about the Kerberos
mailing list