Most of the KDC administration tasks using an LDAP Directory Server are the same as those for the DB2 server. There are some new tasks that are specific to working with LDAP.
Table 23–3 Configuring KDC Servers to Use LDAP (Task Map)
Task |
Description |
For Instructions |
---|---|---|
Configuring a Master KDC |
Configures and builds the master KDC server and database for a realm using a manual process and using LDAP for the KDC. | |
Mix Kerberos principal attributes with non-Kerberos object class types. |
Allows information stored with the Kerberos records to be shared with other LDAP databases. |
How to Mix Kerberos Principal Attributes in a Non-Kerberos Object Class Type |
Destroy a Realm |
Removes all of the data associated with a realm |
This procedure allows for Kerberos principal attributes to be associated with non-Kerberos object class types. In this procedure the krbprincipalaux, and krbTicketPolicyAux and krbPrincipalName attributes are associated with the people object class.
In this procedure, the following configuration parameters are used:
Directory Server = dsserver.example.com
user principal = willf@EXAMPLE.COM
Become superuser.
Prepare each entry in the people object class.
Repeat this step for each entry.
cat << EOF | ldapmodify -h dsserver.example.com -D "cn=directory manager" dn: uid=willf,ou=people,dc=example,dc=com changetype: modify objectClass: krbprincipalaux objectClass: krbTicketPolicyAux krbPrincipalName: willf@EXAMPLE.COM EOF |
Add a subtree attribute to the realm container.
This step allows for searching of principal entries in the ou=people,dc=example,dc=com container, as well as in the default EXAMPLE.COM container.
# kdb5_ldap_util -D "cn=directory manager" modify \ -subtrees 'ou=people,dc=example,dc=com' -r EXAMPLE.COM |
(Optional) If the KDC records are stored in DB2, migrate DB2 entries.
(Optional) Add the principal attributes to the KDC.
# kadmin.local -q 'addprinc willf' |
This procedure can be used if a different LDAP Directory Server has been configured to handle a realm.