Changing the KDC search base dynamically

[Shani Ranasinghe]

Hi,
Thank you Greg and Simo.
Please find my comments in-line.
Regards,
Shani Ranasinghe.

@Simo, This is what I have done at the moment. When the user logs into the
system, I will know if that user is a tenant or not by the username
provided. Based on that I will know where to search for in the tree.  In my
application,  I need to get a TGT everytime the user logs into the system.
The problem with having the search the whole tree is that,  this will be a
performance hit in the long run. This is the main reason I was looking for
an alternative way rather than restarting the server, and searching the
whole tree.


On Wed, Dec 4, 2013 at 10:27 PM, Simo Sorce <simo at redhat.com> wrote:

> On Wed, 2013-12-04 at 11:10 +0530, Shani Ranasinghe wrote:
> > Hi,
> >
> > I am a newbie to Kerberos.
> >
> > I have  a set up where the realm (YYY.ORG) has many OU's (an OU for a
> > tenant). The structure is as follows
> > |_dc=yyy,dc=org
> >    |_ou=Groups
> >    |_u=Users
> >    |_ou=kkk.com
> >        |_ou=groups
> >        |_ou=users
> > Currently when starting up the KDC the search base is sent as a hard
> coded
> > string, and it send ou=Users,c=yyy,dc=org as the search base. I need to
> > change the search base to ou=users,ou=kkk.com,dc=yyy,dc=org, after the
> KDC
> > has been started, and without restarting the KDC. Can I do this by maybe
> a
> > client side configuration file(krb5.conf?)? I need to change this
> everytime
> > I do a Kinit to get the TGT.
> >
> > Appreciate any help.
>
> Why don't you simply set the base to dc=yyy,dc=org and let the KDC see
> the whole tree ? How would the KDC know when to change bases dynamically
> anyway ?
>
> Simo.
>
> --
> Simo Sorce * Red Hat, Inc * New York
>
>