krb5/ldap troubles
Berthold Cogel
cogel at uni-koeln.de
Fri Jun 14 03:32:13 EDT 2013
Am 13.06.2013 21:01, schrieb Greg Hudson:
> On 06/13/2013 01:05 PM, Berthold Cogel wrote:
>>> We fixed (1) in 1.9 and will remove (2) in 1.12. If you cannot upgrade
>>> to 1.9 or later, you should avoid the use of password policy objects.
>
>> How can I do this? I can remove a policy in kadmin, but what happens to
>> the principals associated with the policy?
>
> krb5 1.6 doesn't let you remove a policy until no principals are
> associated with it. (krb5 1.12 will allow dangling policy references,
> but that doesn't help you.) So you'll have to remove those first,
> probably using some kind of script given the number of users you have.
> Removing the krbPwdPolicyReference attributes from the principal objects
> in LDAP will suffice, if you have better LDAP scripting tools than
> kadmin scripting tools.
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
OK.... I only have to remove the krbPwdPolicyReference attribute in
LDAP? Then I don't need a script. I can do batch operations with Apache
Directory Studio. And thanks to virtualisation I can snapshot the
system. I case I make some mistake.
Thanks a lot
Berthold Cogel
More information about the Kerberos
mailing list