[389-users] About Kerberos and dirsrv
Gioachino Bartolotta
gioachino.bartolotta at gmail.com
Thu Jun 16 08:52:07 UTC 2011
Hi Juan!
It's possible to do a bash script to import existing users into kerberos??
In my ldap I have already 2000 users ...
Thanks
2011/6/15 Juan Carlos Camargo Carrillo <juancar at eprinsa.es>:
> To your former question, yes. Basically, and assuming you have experience
> with openldap:
>
> 0.- Backup your current installation or create a new 389ds instance.
> 1.- Configure the kdc to use ldap as a database backend.
> 2.- Get the 60kerberos.ldif from freeIPA (it works out of the box with
> 389ds) and copy it to the instance's "schema" folder. Add krb5principalname
> to your suffix database indexes. Restart dirsrv.
>
> 3.- Create the realm with kdb5_ldap_util.
> 4.- Create kerberos principals for your users
> 4.1 for new users , "addprinc <principal> "
> 4.2 for existing ldap users, "addprinc -x dn=<full dn of the user>
> <principal". This will add kerberos attributes to an existing ldap user.
>
> Regards!
>
> El mié, 15-06-2011 a las 13:10 +0200, Gioachino Bartolotta escribió:
>
> Hi !!
>
> Yes, I want to use 389ds as a backend for kerberos.
>
> So, everything will work just if I import the schemas on 389ds?
>
> Another question. I have actually 2 389ds configured with multimaster
> replica, and on each server there is a kdc (1 master and 1 slave).
>
> I have to copy the same keytab on both servers?
>
> Have I also to change the file /etc/sysconfig/saslauthd with these
> parameters??
>
> MECH_OPTIONS=""
> THREADS=5
> START=yes
> MECHANISMS="ldap"
> OPTIONS="-m /var/run/saslauthd
>
> Then ... I am missing something else??
>
> Thank you.
>
> 2011/6/15 Juan Carlos Camargo Carrillo <juancar at eprinsa.es>:
>> Hi,
>>
>> It depends. If you want to use 389ds as a Kerberos database backend then
>> you should import the schema into the directory and yes, you'll need to
>> create principals or modify the existing ldap entries to accept kerberos
>> attributes, as you've said you did with openldap. I've done it with my
>> 389ds lab and it works.
>>
>> El mié, 15-06-2011 a las 12:08 +0200, Gioachino Bartolotta escribió:
>>
>> Hi all,
>>
>> I have a problem in setup kerberos with 389 and I tried to do using
>> the documents available on 389 site and RedHat.
>>
>> I followed everything, but I am unable to get the initial ticket from
>> kerberos. Have I to add these records as I have always done with
>> openldap??
>>
>> dn: ou=KerberosPrincipals,ou=Users,dc=domain
>> ou: KerberosPrincipals
>> objectClass: top
>> objectClass: organizationalUnit
>>
>> dn:
>>
>> krb5PrincipalName=ldapmaster/admin at DOMAN,ou=KerberosPrincipals,ou=Users,dc=domain
>> objectClass: top
>> objectClass: person
>> objectClass: krb5Principal
>> objectClass: krb5KDCEntry
>> krb5PrincipalName: ldapmaster/admin at DOMAIN
>> krb5KeyVersionNumber: 1
>> krb5MaxLife: 86400
>> krb5MaxRenew: 604800
>> krb5KDCFlags: 126
>> cn: ldapmaster/admin at domain
>> sn: ldapmaster/admin at domain
>> userPassword: {MD5}5S2YxFmBmhF3WTbY37t5KQ==
>>
>> Thanks
>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/389-users
>>
>
>
>
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
--
-------------------------------------------
Gioachino Bartolotta
ICQ #: 9103167
MSN Messenger: astraroth at email.it
Yahoo & Skype: gioachino_bartolotta
More information about the 389-users
mailing list