This procedure allows for Kerberos principal attributes to be associated with non-Kerberos object class types. In this procedure the krbprincipalaux, and krbTicketPolicyAux and krbPrincipalName attributes are associated with the people object class.
In this procedure, the following configuration parameters are used:
Directory Server = dsserver.example.com
user principal = willf@EXAMPLE.COM
Become superuser.
Prepare each entry in the people object class.
Repeat this step for each entry.
cat << EOF | ldapmodify -h dsserver.example.com -D "cn=directory manager" dn: uid=willf,ou=people,dc=example,dc=com changetype: modify objectClass: krbprincipalaux objectClass: krbTicketPolicyAux krbPrincipalName: willf@EXAMPLE.COM EOF |
Add a subtree attribute to the realm container.
This step allows for searching of principal entries in the ou=people,dc=example,dc=com container, as well as in the default EXAMPLE.COM container.
# kdb5_ldap_util -D "cn=directory manager" modify \ -subtrees 'ou=people,dc=example,dc=com' -r EXAMPLE.COM |
(Optional) If the KDC records are stored in DB2, migrate DB2 entries.
(Optional) Add the principal attributes to the KDC.
# kadmin.local -q 'addprinc willf' |