How to Mix Kerberos Principal Attributes in a Non-Kerberos <meta http-equiv="refresh" content="0;url='http://www.oracle.com/pls/topic/lookup?ctx=solaris11'"> Object Class Type (System Administration Guide: Security Services)

System Administration Guide: Security Services

How to Mix Kerberos Principal Attributes in a Non-Kerberos Object Class Type

This procedure allows for Kerberos principal attributes to be associated with non-Kerberos object class types. In this procedure the krbprincipalaux, and krbTicketPolicyAux and krbPrincipalName attributes are associated with the people object class.

In this procedure, the following configuration parameters are used:

Directory Server = dsserver.example.com
user principal = willf@EXAMPLE.COM

Become superuser.

Prepare each entry in the people object class.

Repeat this step for each entry.

cat << EOF | ldapmodify -h dsserver.example.com -D "cn=directory manager"
dn: uid=willf,ou=people,dc=example,dc=com
changetype: modify
objectClass: krbprincipalaux
objectClass: krbTicketPolicyAux
krbPrincipalName: willf@EXAMPLE.COM
EOF

Add a subtree attribute to the realm container.

This step allows for searching of principal entries in the ou=people,dc=example,dc=com container, as well as in the default EXAMPLE.COM container.
# kdb5_ldap_util -D "cn=directory manager" modify \ -subtrees 'ou=people,dc=example,dc=com' -r EXAMPLE.COM

(Optional) If the KDC records are stored in DB2, migrate DB2 entries.
1. Dump the DB2 entries.
  # kdb5_util dump > dumpfile
2. Load the database into the LDAP server.
  # kdb5_util load -update dumpfile

(Optional) Add the principal attributes to the KDC.
# kadmin.local -q 'addprinc willf'