kdb-ldap plugin question: krbSubTrees realm attribute
Klaus Heinrich Kiwi
klausk at linux.vnet.ibm.com
Wed May 14 17:53:12 EDT 2008
Hi.
I've been working on patching the kdb-ldap plugin in order to support
the IBM LDAP Schema. For now I've been trying to figure out how the
current implementation works, and possibly what needs to be done in
order to support the IBM Schema using the current code as a base.
I'm curious about the 'krbSubTrees' attribute, found within the
krbRealmContainer objectclass.
Looking at the code and Admin guide, looks like an attribute configured
at realm creation time, where one can specify a list of subtrees where
the principals for the to-be-configured Realm will be placed. Does that
means that principals doesn't necessarily needs to be placed under a
krbRealmContainer?
In my basic testbed setup here I have the following:
+dc=myDomain,dc=com /* base */
|+dn: cn=krbcontainer,dc=myDomain,dc=com /* krbContainer */
|+dn: cn=MYREALM,cn=krbcontainer,dc=myDomain,dc=com /* krbRealmContainer */
|-dn: krbPrincipalName=kadmin/pam at MYREALM,cn=MYREALM,cn=krbcontainer,dc=myDomain,dc=com
|-... (more principals)
where my 'krbSubTrees=dc=myDomain,dc=com' (single-valued). Is this setup
correct?
What happens if I had 'krbSubTrees=cn=realms,dc=myDomain,dc=com' or with
multiple values?
Thanks,
--Klaus
--
Klaus Heinrich Kiwi
Security Development - IBM Linux Technology Center
More information about the krbdev
mailing list