kdb-ldap plugin question: krbSubTrees realm attribute
Simo Sorce
ssorce at redhat.com
Wed May 14 18:39:06 EDT 2008
On Wed, 2008-05-14 at 18:53 -0300, Klaus Heinrich Kiwi wrote:
> Hi.
>
> I've been working on patching the kdb-ldap plugin in order to support
> the IBM LDAP Schema. For now I've been trying to figure out how the
> current implementation works, and possibly what needs to be done in
> order to support the IBM Schema using the current code as a base.
>
> I'm curious about the 'krbSubTrees' attribute, found within the
> krbRealmContainer objectclass.
>
> Looking at the code and Admin guide, looks like an attribute configured
> at realm creation time, where one can specify a list of subtrees where
> the principals for the to-be-configured Realm will be placed. Does that
> means that principals doesn't necessarily needs to be placed under a
> krbRealmContainer?
Nope principals can be put anywhere in the tree, but they will be looked
up only in the defined krbSubTrees trees.
> In my basic testbed setup here I have the following:
>
> +dc=myDomain,dc=com /* base */
> |+dn: cn=krbcontainer,dc=myDomain,dc=com /* krbContainer */
> |+dn: cn=MYREALM,cn=krbcontainer,dc=myDomain,dc=com /* krbRealmContainer */
> |-dn: krbPrincipalName=kadmin/pam at MYREALM,cn=MYREALM,cn=krbcontainer,dc=myDomain,dc=com
> |-... (more principals)
>
> where my 'krbSubTrees=dc=myDomain,dc=com' (single-valued). Is this setup
> correct?
I use this setup in the FreeIPA project as we stick the keys to the user
accounts entries, works flawlessly.
> What happens if I had 'krbSubTrees=cn=realms,dc=myDomain,dc=com' or with
Only nodes of the cn=realms,dc=myDomain,dc=com will be searched for the
principals.
> multiple values?
multiple subtrees should be searched for the principals (I have no
tested this though).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the krbdev
mailing list