need advice on how to deal with KADM5_POLICY attribute

Will Fiveash William.Fiveash at
Mon Oct 16 21:48:54 EDT 2006

On Fri, Sep 29, 2006 at 04:41:35PM +0530, Praveenkumar Sahukar wrote:
> Will Fiveash wrote:
> > On Tue, Sep 26, 2006 at 06:47:16PM +0530, Praveenkumar Sahukar wrote:
> >> Hi,
> >>
> >> There is no straight forward way (something like a flag) to use the
> >> krb5_ldap_put_principal() function to overwrite an existing entry with a
> >> new entry.
> >>
> >> Won't a delete_principal followed by an add_principal suffice the
> >> requirement? What exactly is the requirement ?
> > 
> > The requirement is that the end result of "kdb5_util load" should be
> > similar for both the db2 and LDAP plugins.  Note that "kdb5_util load"
> > without a -update argument recreates the KDB and any existing princ or
> > policy records are gone, with the end result being a KDB that contains
> > exactly what was in the dump file.  Using "kdb5_util load -update"
> > existing princ/policy entries in the LDAP dir. that are not in the dump
> > file are left alone and those princ/policy entries that are in the dump
> > file are overwritten.  What I'm concerned about is the case where a
> > princ entry in the dir. has a policy reference but the same princ entry
> > in the dump file does not have a policy reference.  Currently the LDAP
> > code does not touch the existing princ. entry's policy reference which
> > differs from the db2 plugin behavior.
> A flag mechanism can be used, to mention to the
> krb5_ldap_put_principal() function, that a ldap object should be
> overwritten.

I'm looking at using the mask field of krb5_db_entry.  In
krb5_ldap_put_principal() I see code like:

    if (entries->mask & KDB_PRINCIPAL)

I'm thinking that I could add a flag like 

#define KDB_LOAD      0x200000

after KDB_RANDKEY_USED in ldap_principal.h that would be used to set a
bit field in the entries->mask passed to krb5_ldap_put_principal().  The
setting would be done in the places where I'm already setting other mask
bit fields in the src/kadmin/dbutil/dump.c file.  This would indicate
that a load was being done so that the krb5_ldap_put_principal() code
would essentially either add a new principal entry if one did not exist
in the directory or do a ldap_modify on the existing dir. entry and
replace all the existing attributes with those in the entry passed to

I want this to work for both standalone principal entries and the mix-in
type.  I'm thinking that the code should determine if a dir. entry
exists with the krbPrincipalName attribute that matches the entry
and if it does then that dir. entry would be modified otherwise a
standalone dir. entry would be created.

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list