Re: importing an existing base into ldap

[Guillaume Rousse <Guillaume.Rousse@inria.fr>]

Love Hörnquist Åstrand a écrit :
> 
> 27 maj 2008 kl. 04.56 skrev Guillaume Rousse:
> 
>> Javier Palacios a écrit :
>>>> 2008-05-23T15:38:48 hdb_store: ldap_add_s: noe@LILLE.FUTURS.INRIA.FR
>>>> (DN
>>>> =
>>>> krb5PrincipalName
>>>> =noe@LILLE.FUTURS.INRIA.FR,ou=kerberos,dc=futurs,dc=inria,dc=fr-NEW)
>>>> Server is unwilling to perform: no global superior knowledge
>>>>
>>> No idea about the -NEW but another alternative approach. It is so
>>> obvious that might be not attempted. Just dump your current KDC, setup
>>> a new heimdal-ldap and restore the principals from the dump.
>> I sometimes feel stupid...
>>
>> OK, it works, but it chokes on some principals, by trying to create 
>> entries without the attribute used in the DN:
>>
>> kadmin: db_store: ldap_modify_s: 
>> http/ovirt2.lille.inria.fr@LILLE.FUTURS.INRIA.FR (DN=krb5PrincipalName=HTTP/ovirt2.lille.inria.fr@LILLE.FUTURS.INRIA.FR,ou=kerberos,dc=futurs,dc=inria,dc=fr) 
>> Naming violation: value of naming attribute 'krb5PrincipalName' is not 
>> present in entry
>>
>> Looking at the dump, it seems to be a case issue, as I got a 
>> HTTP/ovirt2.lille.inria.fr@LILLE.FUTURS.INRIA.FR principal, imported 
>> correctly, followed by a 
>> http/ovirt2.lille.inria.fr@LILLE.FUTURS.INRIA.FR one, which triggered
>> the error.
>>
>> According to the ldap schema, krb5PrincipalName is case sensitive 
>> (EQUALITY caseExactIA5Match), so should be the DN also.
> 
> Can you remove the lowercase entry and make the dump pass ? The 
> lowercase http/fqdn should only be used by older safari's (if I remember 
> correctly)
That's what I did, I was just curious about the issue (especially as the 
error message is not directly meaningful). I guess I could still 
recreate the lowercase entries later directly in LDAP if really needed.
-- 
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62