[krbdev.mit.edu #7787] RE: Kerberos LDAP issues (1.11)
Richard Basch via RT
rt-comment at krbdev.mit.edu
Tue Dec 3 22:32:07 EST 2013
The problem is only with the wiki. the correct schema is in the source tree
(but not installed).
From: Richard Basch [mailto:basch at alum.mit.edu]
Sent: Tuesday, December 03, 2013 9:10 PM
To: 'krb5-bugs at mit.edu'
Cc: 'richard.basch at gs.com'; 'Richard Basch'
Subject: RE: Kerberos LDAP issues (1.11)
In addition to the missing policy attributes I previously listed, it appears
there are also missing principal attributes in the schema, such as:
krbLastAdminUnlock
From: Richard Basch [mailto:basch at alum.mit.edu]
Sent: Tuesday, December 03, 2013 8:55 PM
To: 'krb5-bugs at mit.edu'
Cc: 'Richard Basch'; 'richard.basch at gs.com'
Subject: Kerberos LDAP issues (1.11)
The schema on the web site is lacking various required attributes to support
Kerberos with a LDAP backend.
http://k5wiki.kerberos.org/wiki/Kerberos.schema
When I tried creating a password policy, I encountered errors because of
missing attribute definitions and discovered the following were lacking in
the schema:
krbPwdAttributes
krbPwdMaxLife
krbPwdMaxRenewableLife
krbPwdAllowedKeySalts
I also am encountering issues loading a dump file (i.e. doing a conversion).
Even after resolving the above missing attribute definitions, I find about
1% of the principals fail to be loaded (when using kdb5_util load -update .)
<dumpfile>(line #): cannot store principal at REALM(Database store error)
<dumpfile>(line #): cannot read dump entry header
I plan to enable additional debugging to determine the cause of the above,
but I know the dump file is fine because the same dump file can be loaded
into a db2 backend without issue.
More information about the krb5-bugs
mailing list