Home / server / Questions / 727527
Accepted
Francesco Malvezzi
Asked: 2015-10-08 22:35:01 +0800 CST

krb5 / ldap: realm name match with directory namingContext

  • 772

In order to store krb5 principal entries on LDAP, is the LDAP naming context (root basename) required to match the realm name?

principals of the realm

HQ.EXAMPLE.ORG

can be stored in the

dc=example,dc=org

naming context of the directory tree?

ldap

1 Answers

  1. Best Answer

    The name doesn't have to match at all. You just have to get the permissions right.

    This is a working, though not ideal, example of this concept:

    $ ldapsearch -Q -LLL -h ldap1.example.com -b cn=krbcontainer -s one objectclass @krbRealmContainer
dn: cn=EXAMPLE.COM,cn=krbContainer
cn: EXAMPLE.COM
objectClass: top
objectClass: krbRealmContainer
objectClass: krbTicketPolicyAux
krbSubTrees: ou=people,dc=example,dc=com

dn: cn=kadmin-service,cn=krbContainer
objectClass: krbKdcService
objectClass: simpleSecurityObject
cn: kadmin-service

dn: cn=kdc-service,cn=krbContainer
objectClass: krbKdcService
objectClass: simpleSecurityObject
cn: kdc-service



ldap1 ~ # cat /etc/krb5.conf
#krb5.conf
[libdefaults]

[realms]
EXMAPLE.COM = {
        admin_server = ldap1.example.com
        kdc = ldap1.example.com
        database_module = openldap_ldapconf
}

[logging]
kdc = SYSLOG:INFO:AUTH
admin_server = SYSLOG:INFO:AUTH

[dbdefaults]
ldap_kerberos_container_dn = cn=krbContainer

[dbmodules]
openldap_ldapconf = {
        db_library = ldap
        ldap_kerberos_container_dn = cn=krbContainer
        ldap_kdc_dn = "cn=kdc-service,cn=krbContainer"
        # this object needs to have read rights on
        # the realm container and principal subtrees
        ldap_kadmind_dn = "cn=kadmin-service,cn=krbContainer"
        # this object needs to have read and write rights on
        # the realm container and principal subtrees
        ldap_service_password_file = /etc/krb5kdc.keyfile
        ldap_servers = ldapi:///
        ldap_conns_per_server = 5
}
    • 1