[389-users] About Kerberos and dirsrv

Juan Carlos Camargo Carrillo juancar at eprinsa.es
Wed Jun 15 11:44:09 UTC 2011 

To your former question, yes. Basically, and assuming you have
experience with openldap:

0.- Backup your current installation or create a new 389ds instance.
1.- Configure the kdc to use ldap as a database backend.
2.- Get the 60kerberos.ldif from freeIPA (it works out of the box with
389ds) and copy it to the instance's "schema" folder. Add
krb5principalname to your  suffix database indexes. Restart dirsrv.

3.- Create the realm with kdb5_ldap_util.
4.- Create kerberos principals for your users
    4.1 for new users , "addprinc <principal> "
    4.2 for existing ldap users, "addprinc -x dn=<full dn of the user>
<principal". This will add kerberos attributes to an existing ldap user.

Regards!

El mié, 15-06-2011 a las 13:10 +0200, Gioachino Bartolotta escribió:

> Hi !!
> 
> Yes, I want to use 389ds as a backend for kerberos.
> 
> So, everything will work just if I import the schemas on 389ds?
> 
> Another question. I have actually 2 389ds configured with multimaster
> replica, and on each server there is a kdc (1 master and 1 slave).
> 
> I have to copy the same keytab on both servers?
> 
> Have I also to change the file /etc/sysconfig/saslauthd with these parameters??
> 
> MECH_OPTIONS=""
> THREADS=5
> START=yes
> MECHANISMS="ldap"
> OPTIONS="-m /var/run/saslauthd
> 
> Then ... I am missing something else??
> 
> Thank you.
> 
> 2011/6/15 Juan Carlos Camargo Carrillo <juancar at eprinsa.es>:
> > Hi,
> >
> > It depends.  If you want to use 389ds as a Kerberos database backend  then
> > you should import the schema into the directory and yes, you'll need to
> > create principals or modify the existing ldap entries to accept kerberos
> > attributes, as you've said you did with openldap.  I've done it with my
> > 389ds lab and it works.
> >
> > El mié, 15-06-2011 a las 12:08 +0200, Gioachino Bartolotta escribió:
> >
> > Hi all,
> >
> > I have a problem in setup kerberos with 389 and I tried to do using
> > the documents available on 389 site and RedHat.
> >
> > I followed everything, but I am unable to get the initial ticket from
> > kerberos. Have I to add these records as I have always done with
> > openldap??
> >
> > dn: ou=KerberosPrincipals,ou=Users,dc=domain
> > ou: KerberosPrincipals
> > objectClass: top
> > objectClass: organizationalUnit
> >
> > dn:
> > krb5PrincipalName=ldapmaster/admin at DOMAN,ou=KerberosPrincipals,ou=Users,dc=domain
> > objectClass: top
> > objectClass: person
> > objectClass: krb5Principal
> > objectClass: krb5KDCEntry
> > krb5PrincipalName: ldapmaster/admin at DOMAIN
> > krb5KeyVersionNumber: 1
> > krb5MaxLife: 86400
> > krb5MaxRenew: 604800
> > krb5KDCFlags: 126
> > cn: ldapmaster/admin at domain
> > sn: ldapmaster/admin at domain
> > userPassword: {MD5}5S2YxFmBmhF3WTbY37t5KQ==
> >
> > Thanks
> >
> >
> >
> > --
> > 389 users mailing list
> > 389-users at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> >
> 
> 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20110615/b7fd98c0/attachment.html>

More information about the 389-users mailing list