[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: importing an existing base into ldap



Javier Palacios a écrit :
> On Wed, May 21, 2008 at 5:06 PM, Guillaume Rousse
> <Guillaume.Rousse@inria.fr> wrote:
>> Hello list.
>>
>> I'm trying to setup an ldap backend for heimdal. I was interested bing able
>> to import an already existing one, if possible.
>>
> 
> If I understand well your situation, you don't need to import
> anything. 
No, I do have one already running KDC with existing principals stored in 
as standard flat base (I did not well understood the interest of LDAP 
backend when it was set up). I need to import it, rather than for users 
to retype their password again.

I assume that you already have a working LDAP tree.
> You install heimdal, with ldap backend and basedn somewhere in the
> tree. Now, when you add a principal, it gets located under the
> kerberos basedn.
> Stop heimdal, and modify the basedn to your top basedn or any other
> point which is a common parent of your initial kerberos basedn and
> your users entries. After restarting heimdal, the principals you add
> will be created on the new basedn.
> At this point heimdal-ldap is able to find your user entries,
> althought it does not recognize the as principals. Until you add the
> proper attributes (principal name and kvno, plus flags to made it
> usable). And you will see while listing principals.
> Then, you change the password using kadmin, and that is.
> 
> In my opinion, this is even a better method to create the principal
> that raw kadmin because you have much more control over the entry dn
> as well as the branch where it resides.
Yes, that is also what is advertised there:
http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT#Heimdal_.28kerberos.29

> If you don't want to start from scratch, the script below might serve
> as starting point to
> http://kad.svn.sourceforge.net/viewvc/kad/trunk/utils/transformUid
Thanks, but our setup is a bit more complex (probably three banches, and 
three different kerberos realms). Anyway, adding the missing attribute 
is not the difficult part there :)

-- 
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62