need help with LDAP plug-in code and liblber dependency
Will Fiveash
William.Fiveash at sun.com
Wed May 24 21:12:52 EDT 2006
On Tue, May 23, 2006 at 10:52:12PM -0400, Ken Raeburn wrote:
> On May 23, 2006, at 21:38, Will Fiveash wrote:
> > Should kdb5_util support the create command with a ldap
> >plug-in? If not, how does one prep the directory so that kadmind and
> >krb5kdc can use it as they do the db2 KDB?
>
> It would be nice, someday, but no, currently you need to use
> kdb5_ldap_util to create it. I have a few notes in my email on how
> to do this; we should be getting manual updates at some point.
A couple of points here:
- I'm concerned about UI consistency in regards to the db utils. I was
thinking that once one loaded the krb schema into the directory and
configured the k*.conf files to use the LDAP plug-in that they could
then proceed to create the KDB as they did in the past using
kdb5_util. In the case where the LDAP plug-in is used, the
kdb5_util create -r ACME.COM -s
would interact with the LDAP directory and create the default
principal records and local stash file. If a krb container object is
required then it would create this as well.
- Why is kdb5_ldap_util create required in order to access princ/policy
records in the directory? The man page states that kdb5_ldap_util
create creates a realm object which I assume is optional. Am I
mistaken?
- How does one migrate an existing db2 KDB to a directory? I was
assuming that kdb5_util dump & load would be used.
- Regardless of the above kdb5_util should not core dump regardless of
the backend being used. There needs to be better NULL function
pointer checking in the kdb code.
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list