need advice on how to deal with KADM5_POLICY attribute

Will Fiveash William.Fiveash at
Wed Sep 27 19:23:01 EDT 2006

On Tue, Sep 26, 2006 at 06:47:16PM +0530, Praveenkumar Sahukar wrote:
> Hi,
> There is no straight forward way (something like a flag) to use the
> krb5_ldap_put_principal() function to overwrite an existing entry with a
> new entry.
> Won't a delete_principal followed by an add_principal suffice the
> requirement? What exactly is the requirement ?

The requirement is that the end result of "kdb5_util load" should be
similar for both the db2 and LDAP plugins.  Note that "kdb5_util load"
without a -update argument recreates the KDB and any existing princ or
policy records are gone, with the end result being a KDB that contains
exactly what was in the dump file.  Using "kdb5_util load -update"
existing princ/policy entries in the LDAP dir. that are not in the dump
file are left alone and those princ/policy entries that are in the dump
file are overwritten.  What I'm concerned about is the case where a
princ entry in the dir. has a policy reference but the same princ entry
in the dump file does not have a policy reference.  Currently the LDAP
code does not touch the existing princ. entry's policy reference which
differs from the db2 plugin behavior.

> Thanks,
> Praveen Kumar
> Will Fiveash wrote:
> > Never mind, I figured out what was going on.
> > 
> > I do have another issue related to this though.  When doing a kdb5_util
> > load into a LDAP directory it would be useful to be able to indicate to
> > the krb5_ldap_put_principal() that the entry is to completely replace
> > an existing entry.  Does such an interface exist?  If not, is it
> > reasonable to add another bit flag to the krb5_db_entry mask field?
> > 
> > On Sun, Sep 24, 2006 at 07:31:00PM -0500, Will Fiveash wrote:
> >> I'm close to getting the "kdb5_util load" command to work with the LDAP
> >> KDB plugin however I'm having some difficulty understanding how to deal
> >> with princ. records that have a policy reference.  Note that I
> >> have modified the dump.c:process_k5beta6_record() function to set the
> >> dbentry.mask so the krb5_ldap_put_principal() will properly create the
> >> princ attributes when putting the princ entry to the directory.  For
> >> example:
> >>
> >>         if (nread == 8) {
> >>             dbentry.attributes = (krb5_flags) t2;
> >>             dbentry.max_life = (krb5_deltat) t3;
> >>             dbentry.max_renewable_life = (krb5_deltat) t4;
> >>             dbentry.expiration = (krb5_timestamp) t5;
> >>             dbentry.pw_expiration = (krb5_timestamp) t6;
> >>             dbentry.last_success = (krb5_timestamp) t7;
> > 

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list