Am 09.02.2012 02:35, schrieb Ken Dreyer: > On Thu, Jan 26, 2012 at 12:43 PM, Raffael Sahli<pub...@raffaelsahli.com> > wrote: >> Hi >> >> How can I convert a principal which was created with -x >> dn="cn=myuser,dc=exam,dc=com" on a ldap backend >> into a normal principal located under >> krbPrincipalName=myu...@myrealm.com,cn=MYREALM.COM,dc=exam,dc=com. >> I have to convert all my user principals to "normal" principals. > > I'm a newbie to using LDAP as the krb5 backend... but I am thinking > that this may not be possible. From what I've seen you must have two > LDAP DNs for each user. I'd be happy to be corrected, because it would > certainly make things simpler. > you can use the -x switch to extend an existing LDAP entry with kerberos attributes. Example:
kadmin> add_principal -x dn="cn=John Doe,ou=people,dc=example,dc=com" jdoe To make that work you need to configure additional sub trees with e.g.: kdb5_ldap_util modify -D <LDAP Amin DN> -r EXAMPLE.COM -subtrees ou=people,dc=example,dc=com In this way you can produce unified LDAP entries with kerberos principal functionality. The initial question was how to separate those entries in two. I think this can only be done directly by LDAP operations: create new LDAP entries for each principal, delete the kerberos related attributes from the existing user entries and add them to the newly created kerberos principal entry. I did not check if that really works -- Mark Pröhl m...@mproehl.net www.kerberos-buch.de ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos