krb5/ldap troubles

Berthold Cogel cogel at uni-koeln.de
Fri Jun 14 03:32:13 EDT 2013


Am 13.06.2013 21:01, schrieb Greg Hudson:
> On 06/13/2013 01:05 PM, Berthold Cogel wrote:
>>> We fixed (1) in 1.9 and will remove (2) in 1.12.  If you cannot upgrade
>>> to 1.9 or later, you should avoid the use of password policy objects.
> 
>> How can I do this? I can remove a policy in kadmin, but what happens to
>> the principals associated with the policy?
> 
> krb5 1.6 doesn't let you remove a policy until no principals are
> associated with it.  (krb5 1.12 will allow dangling policy references,
> but that doesn't help you.)  So you'll have to remove those first,
> probably using some kind of script given the number of users you have.
> Removing the krbPwdPolicyReference attributes from the principal objects
> in LDAP will suffice, if you have better LDAP scripting tools than
> kadmin scripting tools.
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

OK.... I only have to remove the krbPwdPolicyReference attribute in
LDAP? Then I don't need a script. I can do batch operations with Apache
Directory Studio. And thanks to virtualisation I can snapshot the
system. I case I make some mistake.


Thanks a lot

Berthold Cogel






More information about the Kerberos mailing list