Re: Convert ldap user principal

[Ken Dreyer]

On Thu, Jan 26, 2012 at 12:43 PM, Raffael Sahli <pub...@raffaelsahli.com> wrote:
> Hi
>
> How can I convert a principal which was created with -x
> dn="cn=myuser,dc=exam,dc=com" on a ldap backend
> into a normal principal located under
> krbPrincipalName=myu...@MYREALM.COM,cn=MYREALM.COM,dc=exam,dc=com.
> I have to convert all my user principals to "normal" principals.

I'm a newbie to using LDAP as the krb5 backend... but I am thinking
that this may not be possible. From what I've seen you must have two
LDAP DNs for each user. I'd be happy to be corrected, because it would
certainly make things simpler.

- Ken

[Mark Pröhl]

you can use the -x switch to extend an existing LDAP entry with kerberos
attributes. Example:

kadmin> add_principal -x dn="cn=John Doe,ou=people,dc=example,dc=com"
jdoe

To make that work you need to configure additional sub trees with e.g.:

kdb5_ldap_util modify -D <LDAP Amin DN> -r EXAMPLE.COM -subtrees
ou=people,dc=example,dc=com

In this way you can produce unified LDAP entries with kerberos principal
functionality. The initial question was how to separate those entries in
two. I think this can only be done directly by LDAP operations: create
new LDAP entries for each principal, delete the kerberos related
attributes from the existing user entries and add them to the newly
created kerberos principal entry. I did not check if that really works

--
Mark Pröhl
ma...@mproehl.net
www.kerberos-buch.de

[Chris Hecker]

You can do this pretty trivially with pure ldap, and something like perl
or your favorite scripting language (with an ldap api), if I understand
what you're trying to do. The krb5 stuff in the ldap entries are just
regular ldap attributes, I've mucked with them manually in ldapvi
before, moving krb attributes onto a separately created ldap entry, for
example. As long as the krb5 username and realm aren't changing and you
make sure you get everything, you should have no problems.

Chris

On 2012/01/26 11:43, Raffael Sahli wrote:
> Hi
>
> How can I convert a principal which was created with -x
> dn="cn=myuser,dc=exam,dc=com" on a ldap backend
> into a normal principal located under
> krbPrincipalName=myu...@MYREALM.COM,cn=MYREALM.COM,dc=exam,dc=com.
> I have to convert all my user principals to "normal" principals.
>

> Thanks for your help
>

[Daniel Savard]

Why not simply use the SASL authentication with GSSAPI and Mapping
authentication identities?

http://www.openldap.org/doc/admin24/sasl.html#Mapping%20Authentication%20Identities

-----------------
Daniel Savard


2012/2/9 Chris Hecker <che...@d6.com>

> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

[Raffael Sahli]

Hi


Yes maybe I can do it with a script.... or with kdb5_ldap_util modify,
I'll try it.

On 02/09/2012 10:10 PM, Daniel Savard wrote:
> Why not simply use the SASL authentication with GSSAPI and Mapping
> authentication identities?

? That was not really my question ;)


But exactly SASL is my problem. I work with SASL passthrough on our
OpenLDAP Server,
but {SASL} is not working if the kerberos attributes are on the same
ldap object as you authenticate
(Some lock from the OpenLDAP Server....maybe).

See problem on OpenLDAP list:
http://www.openldap.org/lists/openldap-technical/201201/msg00047.html


If the principal is a separate object on the ldap server, SASL
passthrough is working.

--
Raffael Sahli
pub...@raffaelsahli.com