Managing a KDC on an LDAP Directory Server

Most of the KDC administration tasks using an LDAP Directory Server are the same as those for the DB2 server. There are some new tasks that are specific to working with LDAP.

Table 23-3 Configuring KDC Servers (Task Map)

How to Mix Kerberos Principal Attributes in a Non-Kerberos Object Class Type

This procedure allows for Kerberos principal attributes to be associated with non-Kerberos object class types. In this procedure the krbprincipalaux, and krbTicketPolicyAux and krbPrincipalName attributes are associated with the people object class.

In this procedure, the following configuration parameters are used:

• Directory Server = dsserver.example.com

• user principal = [email protected]

1. Become superuser.
2. Prepare each entry in the people object class.

   Repeat this step for each entry.

   cat << EOF | ldapmodify -h dsserver.example.com -D "cn=directory manager"
   dn: uid=willf,ou=people,dc=example,dc=com
   changetype: modify
   objectClass: krbprincipalaux
   objectClass: krbTicketPolicyAux
   krbPrincipalName: [email protected]
   EOF

3. Add a subtree attribute to the realm container.

   This step allows for searching of principal entries in the ou=people,dc=example,dc=com container, as well as in the default EXAMPLE.COM container.

   # kdb5_ldap_util -D "cn=directory manager" modify \
               -subtrees 'ou=people,dc=example,dc=com' -r EXAMPLE.COM

4. (Optional) If the KDC records are stored in DB2, migrate DB2 entries.
   1. Dump the DB2 entries.

      # kdb5_util dump > dumpfile

   2. Load the database into the LDAP server.

      # kdb5_util load -update dumpfile

5. (Optional) Add the principal attributes to the KDC.

   # kadmin.local -q 'addprinc willf'

How to Destroy a Realm on an LDAP Directory Server

This procedure can be used if a different LDAP Directory Server has been configured to handle a realm.

1. Become superuser.
2. Destroy the realm.

   # kdb5_ldap_util -D "cn=directory manager" destroy