Migrating database to LDAP (kldap)
Andreas Ntaflos
we have Kerberos 1.8.1 (Ubuntu 10.04) using the default database
configuration (i.e. db2, /var/lib/kerberos) working fine alongside
OpenLDAP, saslauthd (so that authentication against LDAP seamlessly goes
against Kerberos) and PAM (and other things).
I was now wondering if it is possible to migrate the current Kerberos
database to LDAP (with the kldap driver), without having to recreate the
whole realm and every principal and reset every password. It is also
important that saslauthd continues working.
Is there a migration strategy or best practice I can follow? Or is the
whole thing impossible to do?
Thanks,
Andreas
Simo Sorce
You can use kdb5_util to dump the database and then later reload it in
LDAP. I tried only with LDAP->LDAP but I don't think you should have any
issue dumping a db one and the loading it back in LDAP as long as the
LDAP server is correctly configured and the kdc user has enough
permission to write the data.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
Andreas Ntaflos
Simo,
Thank you for the hint, I was indeed able to use kdb5_util to dump the
old database and restore it into the LDAP backend, after some initial
problems.
Here's what I did:
* Dump the current database: kdb5_util dump kdb5-current.dump
* Update /etc/krb5.conf to reflect the LDAP backend settings (I used
[1] as guide)
* Backup /etc/krb5kdc, especially the stash (/etc/krb5kdc/stash)
containing the master key
* Create a new realm using kdb5_ldap_util as per [1], i.e.
"kdb5_ldap_util create"
* This creates a new master key and stash that will have to be
replaced by the old stash after importing the database.
* Create the stash for the service object as per [1], i.e.
"kdb5_ldap_util stashsrvpw"
* Load the database dump: kdb5_util load -update kdb5-current.dump
* Replace the newly created master key stash (/etc/krb5kdc/stash) with
the backup
* Restart the KDC and admin server
The database, database dump and master key obviously are very tightly
coupled and creating a new realm creates a new master key. Is there
another way this procedure should have been done, one that doesn't
require manually copying key stashes around?
Anyway, this seems to be working fine so far, thanks again!
Andreas
[1] https://help.ubuntu.com/11.04/serverguide/C/kerberos-ldap.html
Simo Sorce
[..]
> Simo,
>
> Thank you for the hint, I was indeed able to use kdb5_util to dump the
> old database and restore it into the LDAP backend, after some initial
> problems.
>
> Here's what I did:
>
> * Dump the current database: kdb5_util dump kdb5-current.dump
> * Update /etc/krb5.conf to reflect the LDAP backend settings (I used
> [1] as guide)
> * Backup /etc/krb5kdc, especially the stash (/etc/krb5kdc/stash)
> containing the master key
> * Create a new realm using kdb5_ldap_util as per [1], i.e.
> "kdb5_ldap_util create"
> * This creates a new master key and stash that will have to be
> replaced by the old stash after importing the database.
> * Create the stash for the service object as per [1], i.e.
> "kdb5_ldap_util stashsrvpw"
> * Load the database dump: kdb5_util load -update kdb5-current.dump
> * Replace the newly created master key stash (/etc/krb5kdc/stash) with
> the backup
> * Restart the KDC and admin server
>
> The database, database dump and master key obviously are very tightly
> coupled and creating a new realm creates a new master key. Is there
> another way this procedure should have been done, one that doesn't
> require manually copying key stashes around?
During dump you can convert the db to use a different hash file. But
that's possible only at dump apparently. So you'd have to change order
of operations somewhat.
I think there is also the option to tell kdb5_ldap_util to use an
existing stash file when you create the db, but I am not 100% sure, it's
been some time.
> Anyway, this seems to be working fine so far, thanks again!
Glad to hear that.