Issues after switching from file- to LDAP-Backend
Marc Richter
mail at marc-richter.info
Thu Feb 19 10:16:47 EST 2015
Hi everyone,
I'm creating a KDC from scratch. I never got in touch with either KRB
nor LDAP before. I'm using the (german) book "Kerberos - Single Sign-on
in gemischten Linux/Windows-Umgebungen" written by Mark Pröhl [1] to
achieve this goal.
Everything went well until I'm trying to switch from file-based to
LDAP-based storage backend. I could issue tickets using kinit, use
kadmin and kadmin.local and all was fine.
Now, I have to switch to OpenLDAP as a backend for Kerberos. The book
first lets you install necessary software, define a few principals and
policies using the default file-backend before LDAP is geting involved.
After taking the steps described in the book, I have the problem that
when I'm trying to issue any kadmin or kinit operation, I get the
following error:
root at krb5-kdc-1:/etc/default# kinit maxm
kinit: Invalid format of Kerberos lifetime or clock skew string while
getting initial credentials
root at krb5-kdc-1:/etc/default# kadmin -q listprincs
Authenticating as principal root/admin at IN-TELEGENCE.NET with password.
kadmin: Invalid format of Kerberos lifetime or clock skew string while
initializing kadmin interface
root at krb5-kdc-1:/etc/default#
When I'm using kadmin.local everything works fine:
root at krb5-kdc-1:/etc/default# kadmin.local -q listprincs
Authenticating as principal root/admin at IN-TELEGENCE.NET with password.
K/M at IN-TELEGENCE.NET
krbtgt/IN-TELEGENCE.NET at IN-TELEGENCE.NET
kadmin/admin at IN-TELEGENCE.NET
kadmin/changepw at IN-TELEGENCE.NET
kadmin/history at IN-TELEGENCE.NET
...
root at krb5-kdc-1:/etc/default#
krb5kdc, kadmind, kadmin, kadmin.local, kinit and slapd all run on the
same machine. I'm using Debian 7.8 (wheezy).
Please find my config files attached.
The clock of the system is OK and I did not make changes to Kerberos
lifetime settings. I could not find anything related while searching for
these errors in Google.
The migration to LDAP worked like this:
1) Install package krb5-kdc-ldap
2) Convert kerberos.schema to LDIF Formated file
3) Insert that LDIF File (attached as kerberos.ldif)
4) Adding three LDAP-Objects (see krb-obj.ldif):
a) "ou=mit-kerberos,dc=in-telegence,dc=net"
b) "cn=mit-kdc,ou=mit-kerberos,dc=in-telegence,dc=net"
c) "cn=mit-kadmind,ou=mit-kerberos,dc=in-telegence,dc=net"
5) Changing LDAP Limits (see limits.ldif)
6) Adding cn=mit-kdc and cn=mit-kadmind to LDAP Read/Write Group (see
rw.ldif)
7) Creating a Backup of the file-based KDC Storage: "kdb5_util dump
in-telegence.net.dump"
8) Adding LDAP config to /etc/krb5kdc/kdc.conf (see attached file
etc_krb5kdc_kdc.conf - Added [dbmodules] - Part).
9) Initializing LDAP:
a) kdb5_ldap_util create -D cn=admin,dc=in-telegence,dc=net -r
IN-TELEGENCE.NET -s -sscope sub
b) kdb5_ldap_util stashsrvpw -D cn=admin,dc=in-telegence,dc=net -f
/etc/krb5kdc/service.keyfile
cn=mit-kdc,ou=mit-kerberos,dc=in-telegence,dc=net
c) kdb5_ldap_util stashsrvpw -D cn=admin,dc=in-telegence,dc=net -f
/etc/krb5kdc/service.keyfile
cn=mit-kadmind,ou=mit-kerberos,dc=in-telegence,dc=net
10) Reload Backup of previous file-based KDC DB into LDAP: "kdb5_util
-update load in-telegence.net.dump"
I entered the same master DB password in 9a) like I did when creating
the file based storage, since it's dump is re-inserted in 10).
I've repeated this procedure from scratch for the third time now. I'm
always stuck with this result and since I'm not familiar with KRB or
LDAP yet I'm completely running out of ideas.
Can somebody imagine what I'm doing wrong or what's the matter here?
Best regards,
Marc
[1] http://www.dpunkt.de/buecher/2568/kerberos.html
-------------- next part --------------
# Automatically generated. If you change anything in this file other than the
# values of RUN_KADMIND or DAEMON_ARGS, first run dpkg-reconfigure
# krb5-admin-server and disable managing the kadmin configuration with
# debconf. Otherwise, changes will be overwritten.
RUN_KADMIND=true
DAEMON_ARGS="-r IN-TELEGENCE.NET"
-------------- next part --------------
# Automatically generated. Only the value of DAEMON_ARGS will be preserved.
# If you change anything in this file other than DAEMON_ARGS, first run
# dpkg-reconfigure krb5-kdc and disable managing the KDC configuration with
# debconf. Otherwise, changes will be overwritten.
DAEMON_ARGS="-r IN-TELEGENCE.NET"
-------------- next part --------------
# Default location of the slapd.conf file or slapd.d cn=config directory. If
# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
# /etc/ldap/slapd.conf).
SLAPD_CONF=
# System account to run the slapd server under. If empty the server
# will run as root.
SLAPD_USER="openldap"
# System group to run the slapd server under. If empty the server will
# run in the primary group of its user.
SLAPD_GROUP="openldap"
# Path to the pid file of the slapd server. If not set the init.d script
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.conf by
# default)
SLAPD_PIDFILE=
# slapd normally serves ldap only on all TCP-ports 389. slapd can also
# service requests on TCP-port 636 (ldaps) and requests via unix
# sockets.
# Example usage:
# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
#SLAPD_SERVICES="ldap:/// ldapi:///"
SLAPD_SERVICES="ldap:/// ldaps:/// ldapi:///"
# If SLAPD_NO_START is set, the init script will not start or restart
# slapd (but stop will still work). Uncomment this if you are
# starting slapd via some other means or if you don't want slapd normally
# started at boot.
#SLAPD_NO_START=1
# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
# the init script will not start or restart slapd (but stop will still
# work). Use this for temporarily disabling startup of slapd (when doing
# maintenance, for example, or through a configuration management system)
# when you don't want to edit a configuration file.
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
# For Kerberos authentication (via SASL), slapd by default uses the system
# keytab file (/etc/krb5.keytab). To use a different keytab file,
# uncomment this line and change the path.
#export KRB5_KTNAME=/etc/krb5.keytab
# Additional options to pass to slapd
SLAPD_OPTIONS=""
-------------- next part --------------
[libdefaults]
default_realm = IN-TELEGENCE.NET
ticket_lifetime = 10 hours
renew_lifetime = 7 days
forwardable = true
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
IN-TELEGENCE.NET = {
kdc = krb5-kdc-1.in-telegence.net
admin_server = krb5-kdc-1.in-telegence.net
master_kdc = krb5-kdc-1.in-telegence.net
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
MEDIA-LAB.MIT.EDU = {
kdc = kerberos.media.mit.edu
admin_server = kerberos.media.mit.edu
}
ZONE.MIT.EDU = {
kdc = casio.mit.edu
kdc = seiko.mit.edu
admin_server = casio.mit.edu
}
MOOF.MIT.EDU = {
kdc = three-headed-dogcow.mit.edu:88
kdc = three-headed-dogcow-1.mit.edu:88
admin_server = three-headed-dogcow.mit.edu
}
CSAIL.MIT.EDU = {
kdc = kerberos-1.csail.mit.edu
kdc = kerberos-2.csail.mit.edu
admin_server = kerberos.csail.mit.edu
default_domain = csail.mit.edu
krb524_server = krb524.csail.mit.edu
}
IHTFP.ORG = {
kdc = kerberos.ihtfp.org
admin_server = kerberos.ihtfp.org
}
GNU.ORG = {
kdc = kerberos.gnu.org
kdc = kerberos-2.gnu.org
kdc = kerberos-3.gnu.org
admin_server = kerberos.gnu.org
}
1TS.ORG = {
kdc = kerberos.1ts.org
admin_server = kerberos.1ts.org
}
GRATUITOUS.ORG = {
kdc = kerberos.gratuitous.org
admin_server = kerberos.gratuitous.org
}
DOOMCOM.ORG = {
kdc = kerberos.doomcom.org
admin_server = kerberos.doomcom.org
}
ANDREW.CMU.EDU = {
kdc = kerberos.andrew.cmu.edu
kdc = kerberos2.andrew.cmu.edu
kdc = kerberos3.andrew.cmu.edu
admin_server = kerberos.andrew.cmu.edu
default_domain = andrew.cmu.edu
}
CS.CMU.EDU = {
kdc = kerberos.cs.cmu.edu
kdc = kerberos-2.srv.cs.cmu.edu
admin_server = kerberos.cs.cmu.edu
}
DEMENTIA.ORG = {
kdc = kerberos.dementix.org
kdc = kerberos2.dementix.org
admin_server = kerberos.dementix.org
}
stanford.edu = {
kdc = krb5auth1.stanford.edu
kdc = krb5auth2.stanford.edu
kdc = krb5auth3.stanford.edu
master_kdc = krb5auth1.stanford.edu
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
}
UTORONTO.CA = {
kdc = kerberos1.utoronto.ca
kdc = kerberos2.utoronto.ca
kdc = kerberos3.utoronto.ca
admin_server = kerberos1.utoronto.ca
default_domain = utoronto.ca
}
[domain_realm]
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
media.mit.edu = MEDIA-LAB.MIT.EDU
.csail.mit.edu = CSAIL.MIT.EDU
csail.mit.edu = CSAIL.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
.slac.stanford.edu = SLAC.STANFORD.EDU
.toronto.edu = UTORONTO.CA
.utoronto.ca = UTORONTO.CA
.in-telegence.net = IN-TELEGENCE.NET
in-telegence.net = IN-TELEGENCE.NET
[logging]
default = SYSLOG:INFO:AUTH
-------------- next part --------------
[kdcdefaults]
kdc_ports = 88
kdc_tcp_ports = 88
v4_mode = disable
[realms]
IN-TELEGENCE.NET = {
database_name = /var/lib/krb5kdc/principal
acl_file = /etc/krb5kdc/kadm5.acl
#key_stash_file = /etc/krb5kdc/stash
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = aes256-cts
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal
default_principals_flags = +preauth
database_module = openldap_ldapconf
}
[logging]
kdc = SYSLOG:INFO:AUTH
admin_server = SYSLOG:INFO:AUTH
[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kerberos_container_dn = "ou=mit-kerberos,dc=in-telegence,dc=net"
ldap_kdc_dn = "cn=mit-kdc,ou=mit-kerberos,dc=in-telegence,dc=net"
ldap_kadmind_dn = "cn=mit-kadmind,ou=mit-kerberos,dc=in-telegence,dc=net"
ldap_service_password_file = "/etc/krb5kdc/service.keyfile"
ldap_servers = "ldapi:///"
ldap_conns_per_server = 5
}
-------------- next part --------------
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=in-telegence,dc=net
URI ldap://krb5-kdc-1.in-telegence.net
TLS_CACERT /etc/ldap/ssl/CAcert.pem
TLS_REQCERT demand
-------------- next part --------------
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 4e3d19ac
dn: cn=kerberos,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: kerberos
olcAttributeTypes: {0}( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName'
EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1
.1466.115.121.1.26 )
olcAttributeTypes: {1}( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUAL
ITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466
.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: {2}( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {3}( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC
'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {4}( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpira
tion' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SING
LE-VALUE )
olcAttributeTypes: {5}( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQ
UALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {6}( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {7}( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAg
e' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {8}( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReference
s' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {9}( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' E
QUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {10}( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' E
QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {11}( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' E
QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {12}( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' E
QUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {13}( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {14}( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalRefe
rences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
)
olcAttributeTypes: {15}( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAt
tr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALU
E )
olcAttributeTypes: {16}( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' E
QUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {17}( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' E
QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {18}( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' E
QUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {19}( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffCha
rs' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {20}( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {21}( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLen
gth' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
)
olcAttributeTypes: {22}( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUAL
ITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {23}( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInter
val' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
)
olcAttributeTypes: {24}( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration'
EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: {25}( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyRefe
rence' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 S
INGLE-VALUE )
olcAttributeTypes: {26}( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpir
ation' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SIN
GLE-VALUE )
olcAttributeTypes: {27}( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey'
EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {28}( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyR
eference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
2 SINGLE-VALUE )
olcAttributeTypes: {29}( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQU
ALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {30}( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSal
tTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {31}( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncS
altTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {32}( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' E
QUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {33}( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange
' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-V
ALUE )
olcAttributeTypes: {34}( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQU
ALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE
)
olcAttributeTypes: {35}( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALIT
Y octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {36}( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAlia
ses' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {37}( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfu
lAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SIN
GLE-VALUE )
olcAttributeTypes: {38}( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAut
h' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-
VALUE )
olcAttributeTypes: {39}( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCo
unt' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE
)
olcAttributeTypes: {40}( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQ
UALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {41}( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferen
ces' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {42}( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContaine
rRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
olcAttributeTypes: {43}( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateTo'
EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.26 )
olcObjectClasses: {0}( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP t
op STRUCTURAL MUST cn )
olcObjectClasses: {1}( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer'
SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSe
archScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltType
s $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers
$ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) )
olcObjectClasses: {2}( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP top
ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) )
olcObjectClasses: {3}( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP
krbService STRUCTURAL )
olcObjectClasses: {4}( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP
krbService STRUCTURAL )
olcObjectClasses: {5}( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' SU
P top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ kr
bPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswo
rdExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krb
LastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulA
uth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDe
legateTo ) )
olcObjectClasses: {6}( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP t
op STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences )
olcObjectClasses: {7}( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SU
P top AUXILIARY MAY krbPrincipalReferences )
olcObjectClasses: {8}( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP
krbService STRUCTURAL )
olcObjectClasses: {9}( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP
top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffCha
rs $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailure
CountInterval $ krbPwdLockoutDuration ) )
olcObjectClasses: {10}( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAu
x' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewabl
eAge ) )
olcObjectClasses: {11}( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy'
SUP top STRUCTURAL MUST cn )
-------------- next part --------------
dn: ou=mit-kerberos,dc=in-telegence,dc=net
objectClass: organizationalUnit
ou: mit-kerberos
dn: cn=mit-kdc,ou=mit-kerberos,dc=in-telegence,dc=net
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: mit-kdc
userPassword: {SSHA}jO+tRuvxaPQarfNsJyWr9n1lDVNbr0Pl
dn: cn=mit-kadmind,ou=mit-kerberos,dc=in-telegence,dc=net
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: mit-kadmind
userPassword: {SSHA}ORlj3m8UykvfKytByTq9b/OltRtmvsXd
-------------- next part --------------
dn: olcDatabase={2}bdb,cn=config
changetype: modify
add: olcLimits
olcLimits: dn.exact="cn=mit-kdc,ou=mit-kerberos,dc=in-telegence,dc=net" size=unlimited
olcLimits: dn.exact="cn=mit-kadmind,ou=mit-kerberos,dc=in-telegence,dc=net" size=unlimited
More information about the Kerberos
mailing list