System Administration Guide: Security Services

Managing a KDC on an LDAP Directory Server

Most of the KDC administration tasks using an LDAP Directory Server are the same as those for the DB2 server. There are some new tasks that are specific to working with LDAP.

Table 23–3 Configuring KDC Servers to Use LDAP (Task Map)



For Instructions 

Configuring a Master KDC 

Configures and builds the master KDC server and database for a realm using a manual process and using LDAP for the KDC. 

How to Configure a KDC to Use an LDAP Data Server

Mix Kerberos principal attributes with non-Kerberos object class types. 

Allows information stored with the Kerberos records to be shared with other LDAP databases. 

How to Mix Kerberos Principal Attributes in a Non-Kerberos Object Class Type

Destroy a Realm 

Removes all of the data associated with a realm 

How to Destroy a Realm on an LDAP Directory Server

ProcedureHow to Mix Kerberos Principal Attributes in a Non-Kerberos Object Class Type

This procedure allows for Kerberos principal attributes to be associated with non-Kerberos object class types. In this procedure the krbprincipalaux, and krbTicketPolicyAux and krbPrincipalName attributes are associated with the people object class.

In this procedure, the following configuration parameters are used:

  1. Become superuser.

  2. Prepare each entry in the people object class.

    Repeat this step for each entry.

    cat << EOF | ldapmodify -h -D "cn=directory manager"
    dn: uid=willf,ou=people,dc=example,dc=com
    changetype: modify
    objectClass: krbprincipalaux
    objectClass: krbTicketPolicyAux
    krbPrincipalName: willf@EXAMPLE.COM
  3. Add a subtree attribute to the realm container.

    This step allows for searching of principal entries in the ou=people,dc=example,dc=com container, as well as in the default EXAMPLE.COM container.

    # kdb5_ldap_util -D "cn=directory manager" modify \
                -subtrees 'ou=people,dc=example,dc=com' -r EXAMPLE.COM
  4. (Optional) If the KDC records are stored in DB2, migrate DB2 entries.

    1. Dump the DB2 entries.

      # kdb5_util dump > dumpfile
    2. Load the database into the LDAP server.

      # kdb5_util load -update dumpfile
  5. (Optional) Add the principal attributes to the KDC.

    # kadmin.local -q 'addprinc willf'

ProcedureHow to Destroy a Realm on an LDAP Directory Server

This procedure can be used if a different LDAP Directory Server has been configured to handle a realm.

  1. Become superuser.

  2. Destroy the realm.

    # kdb5_ldap_util -D "cn=directory manager" destroy