Go to main content

Managing Kerberos in Oracle® Solaris 11.4

Exit Print View

Updated: August 2020

How to Mix Kerberos Principal Attributes in a Non-Kerberos Object Class Type on an OpenLDAP Server

In this procedure, the krbprincipalaux, and krbTicketPolicyAux and krbPrincipalName attributes are associated with the people object class.

    This procedure uses the following configuration parameters:

  • OpenLDAP Server = krb1.example.com

  • User principal = mre@EXAMPLE.COM

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Prepare each entry in the people object class.

    On the OpenLDAP server, repeat this step for each entry.

    cat << EOF | ldapmodify -h openldap.example.com \
    -D "cn=directory manager,dc=example,dc=com"
    dn: uid=mre,ou=people,dc=example,dc=com
    changetype: modify
    objectClass: krbprincipalaux
    objectClass: krbTicketPolicyAux
    krbPrincipalName: mre@EXAMPLE.COM
  2. Add a subtree attribute to the realm container.

    This example enables searching principal entries in the ou=people,dc=example,dc=com container, as well as in the default EXAMPLE.COM container.

    # kdb5_ldap_util -D "cn=directory manager" modify \
       -subtrees 'ou=people,dc=example,dc=com' -r EXAMPLE.COM
  3. (Optional) If the KDC records are stored in DB2, migrate the DB2 entries.
    1. Dump the DB2 entries.
      # kdb5_util dump > dumpfile
    2. Load the database into the LDAP server.
      # kdb5_ldap_util load -update dumpfile
  4. (Optional) Add the principal attributes to the KDC.
    # kadmin.local -q 'addprinc mre'