krb5/ldap troubles

Fri Jun 14 12:39:36 EDT 2013

Am 14.06.2013 09:32, schrieb Berthold Cogel:
> Am 13.06.2013 21:01, schrieb Greg Hudson:
>> On 06/13/2013 01:05 PM, Berthold Cogel wrote:
>>>> We fixed (1) in 1.9 and will remove (2) in 1.12.  If you cannot upgrade
>>>> to 1.9 or later, you should avoid the use of password policy objects.
>>
>>> How can I do this? I can remove a policy in kadmin, but what happens to
>>> the principals associated with the policy?
>>
>> krb5 1.6 doesn't let you remove a policy until no principals are
>> associated with it.  (krb5 1.12 will allow dangling policy references,
>> but that doesn't help you.)  So you'll have to remove those first,
>> probably using some kind of script given the number of users you have.
>> Removing the krbPwdPolicyReference attributes from the principal objects
>> in LDAP will suffice, if you have better LDAP scripting tools than
>> kadmin scripting tools.
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos at mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> OK.... I only have to remove the krbPwdPolicyReference attribute in
> LDAP? Then I don't need a script. I can do batch operations with Apache
> Directory Studio. And thanks to virtualisation I can snapshot the
> system. I case I make some mistake.
> 
> 
> Thanks a lot
> 
> Berthold Cogel
> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 

Done... with Apache Directory Studio.

I searched for all entries with krbPwdPolicyReference and created for
this subset a batch operation with modify/delete (LDIF file ...).
Creating the LDIF for about 73000 took about 15 minutes on my computer.
And I deleted all policy entries.

Now it works like a charm... No 'context switch' spike in vmstat during
authentication. All kerberos operations are fast now.

Thanks
Berthold Cogel