need advice on how to deal with KADM5_POLICY attribute

Will Fiveash William.Fiveash at
Mon Sep 25 19:45:00 EDT 2006

Never mind, I figured out what was going on.

I do have another issue related to this though.  When doing a kdb5_util
load into a LDAP directory it would be useful to be able to indicate to
the krb5_ldap_put_principal() that the entry is to completely replace
an existing entry.  Does such an interface exist?  If not, is it
reasonable to add another bit flag to the krb5_db_entry mask field?

On Sun, Sep 24, 2006 at 07:31:00PM -0500, Will Fiveash wrote:
> I'm close to getting the "kdb5_util load" command to work with the LDAP
> KDB plugin however I'm having some difficulty understanding how to deal
> with princ. records that have a policy reference.  Note that I
> have modified the dump.c:process_k5beta6_record() function to set the
> dbentry.mask so the krb5_ldap_put_principal() will properly create the
> princ attributes when putting the princ entry to the directory.  For
> example:
>         if (nread == 8) {
>             dbentry.attributes = (krb5_flags) t2;
>             dbentry.max_life = (krb5_deltat) t3;
>             dbentry.max_renewable_life = (krb5_deltat) t4;
>             dbentry.expiration = (krb5_timestamp) t5;
>             dbentry.pw_expiration = (krb5_timestamp) t6;
>             dbentry.last_success = (krb5_timestamp) t7;

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list