Kerberos + LDAP question

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Kerberos + LDAP question

Pascal Jakobi
I have setup a KDC and an openldap server. Both seem to work like a
charm and are linked (krb5-server-ldap package).
Only a small issue remains. Not sure this is not a limitation in the server.

Here is what I see.

1/ If I create a principal in kadmin.local, "/*addprinc
[hidden email]*/", the corresponding principal is stored in the realm
subtree in the directory.
2/ If I create a principal in kadmin.local with its LDAP DN, "/*addprinc
-x dn="uid=test2,ou=people,dc=jakobi,dc=fr*//*" [hidden email]*/", the
DN entry is updated with the kerberos info stuff (principal name, etc.)
- which is fine. However, the principal does not seem to be created in
the directory, but rather on the KDC.

Is this the expected behaviour ?
If so, should I update manually, the DN and the principal entry by hand
in the Directory ?

Thanks in advance

--
Pascal Jakobi <mailto:[hidden email]>
116 rue de Stalingrad
93100 Montreuil, France
Tel : +33 6 87 47 58 19
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Kerberos + LDAP question

Greg Hudson
On 04/30/2015 09:08 AM, Pascal Jakobi wrote:
> 2/ If I create a principal in kadmin.local with its LDAP DN, "/*addprinc
> -x dn="uid=test2,ou=people,dc=jakobi,dc=fr*//*" [hidden email]*/", the
> DN entry is updated with the kerberos info stuff (principal name, etc.)
> - which is fine. However, the principal does not seem to be created in
> the directory, but rather on the KDC.

Sorry, I don't understand what you mean by that last part.  The KDC
doesn't have any place to store principals other than in the directory,
in this configuration.  What are you seeing which leads to the statement
that the principal was not created in the directory?
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev