need help with LDAP plug-in code and liblber dependency

Will Fiveash William.Fiveash at
Wed May 24 21:12:52 EDT 2006

On Tue, May 23, 2006 at 10:52:12PM -0400, Ken Raeburn wrote:
> On May 23, 2006, at 21:38, Will Fiveash wrote:
> >  Should kdb5_util support the create command with a ldap
> >plug-in?  If not, how does one prep the directory so that kadmind and
> >krb5kdc can use it as they do the db2 KDB?
> It would be nice, someday, but no, currently you need to use  
> kdb5_ldap_util to create it.  I have a few notes in my email on how  
> to do this; we should be getting manual updates at some point.

A couple of points here:

- I'm concerned about UI consistency in regards to the db utils.  I was
  thinking that once one loaded the krb schema into the directory and
  configured the k*.conf files to use the LDAP plug-in that they could
  then proceed to create the KDB as they did in the past using
  kdb5_util.  In the case where the LDAP plug-in is used, the

  kdb5_util create -r ACME.COM -s

  would interact with the LDAP directory and create the default
  principal records and local stash file.  If a krb container object is
  required then it would create this as well.

- Why is kdb5_ldap_util create required in order to access princ/policy
  records in the directory?  The man page states that kdb5_ldap_util
  create creates a realm object which I assume is optional.  Am I

- How does one migrate an existing db2 KDB to a directory?  I was
  assuming that kdb5_util dump & load would be used.

- Regardless of the above kdb5_util should not core dump regardless of
  the backend being used.  There needs to be better NULL function
  pointer checking in the kdb code.

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list