Re: [389-users] About Kerberos and dirsrv
This link may help: http://blogs.oracle.com/wfiveash/entry/the_rough_guide_to_configuring El jue, 16-06-2011 a las 18:23 +0900, 夜神 岩男 escribió: > On Thu, 2011-06-16 at 10:52 +0200, Gioachino Bartolotta wrote: > > Hi Juan! > > > > It's possible to do a bash script to import existing users into kerberos?? > > In my ldap I have already 2000 users ... > > > > Thanks > > It is almost always possible to do a bash script to perform these sort > of tasks. This is one of the best reasons to learn how if you aren't > already good at it. If your sed/awk skills are well developed, this is > an excellent, repeatable, adaptable solution. I will be facing a similar > problem in the mid-term and if you have written a basic script by then > I'd love to get a copy. If not, I will be writing one myself in a few > months. > > This problem is probably frequent enough that someone may have already > tackled it with a smart script... ? Anyone? > > -Iwao > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] About Kerberos and dirsrv
On Thu, 2011-06-16 at 10:52 +0200, Gioachino Bartolotta wrote: > Hi Juan! > > It's possible to do a bash script to import existing users into kerberos?? > In my ldap I have already 2000 users ... > > Thanks It is almost always possible to do a bash script to perform these sort of tasks. This is one of the best reasons to learn how if you aren't already good at it. If your sed/awk skills are well developed, this is an excellent, repeatable, adaptable solution. I will be facing a similar problem in the mid-term and if you have written a basic script by then I'd love to get a copy. If not, I will be writing one myself in a few months. This problem is probably frequent enough that someone may have already tackled it with a smart script... ? Anyone? -Iwao -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] About Kerberos and dirsrv
Hi Juan! It's possible to do a bash script to import existing users into kerberos?? In my ldap I have already 2000 users ... Thanks 2011/6/15 Juan Carlos Camargo Carrillo : > To your former question, yes. Basically, and assuming you have experience > with openldap: > > 0.- Backup your current installation or create a new 389ds instance. > 1.- Configure the kdc to use ldap as a database backend. > 2.- Get the 60kerberos.ldif from freeIPA (it works out of the box with > 389ds) and copy it to the instance's "schema" folder. Add krb5principalname > to your suffix database indexes. Restart dirsrv. > > 3.- Create the realm with kdb5_ldap_util. > 4.- Create kerberos principals for your users > 4.1 for new users , "addprinc " > 4.2 for existing ldap users, "addprinc -x dn= > > Regards! > > El mié, 15-06-2011 a las 13:10 +0200, Gioachino Bartolotta escribió: > > Hi !! > > Yes, I want to use 389ds as a backend for kerberos. > > So, everything will work just if I import the schemas on 389ds? > > Another question. I have actually 2 389ds configured with multimaster > replica, and on each server there is a kdc (1 master and 1 slave). > > I have to copy the same keytab on both servers? > > Have I also to change the file /etc/sysconfig/saslauthd with these > parameters?? > > MECH_OPTIONS="" > THREADS=5 > START=yes > MECHANISMS="ldap" > OPTIONS="-m /var/run/saslauthd > > Then ... I am missing something else?? > > Thank you. > > 2011/6/15 Juan Carlos Camargo Carrillo : >> Hi, >> >> It depends. If you want to use 389ds as a Kerberos database backend then >> you should import the schema into the directory and yes, you'll need to >> create principals or modify the existing ldap entries to accept kerberos >> attributes, as you've said you did with openldap. I've done it with my >> 389ds lab and it works. >> >> El mié, 15-06-2011 a las 12:08 +0200, Gioachino Bartolotta escribió: >> >> Hi all, >> >> I have a problem in setup kerberos with 389 and I tried to do using >> the documents available on 389 site and RedHat. >> >> I followed everything, but I am unable to get the initial ticket from >> kerberos. Have I to add these records as I have always done with >> openldap?? >> >> dn: ou=KerberosPrincipals,ou=Users,dc=domain >> ou: KerberosPrincipals >> objectClass: top >> objectClass: organizationalUnit >> >> dn: >> >> krb5PrincipalName=ldapmaster/admin@DOMAN,ou=KerberosPrincipals,ou=Users,dc=domain >> objectClass: top >> objectClass: person >> objectClass: krb5Principal >> objectClass: krb5KDCEntry >> krb5PrincipalName: ldapmaster/admin@DOMAIN >> krb5KeyVersionNumber: 1 >> krb5MaxLife: 86400 >> krb5MaxRenew: 604800 >> krb5KDCFlags: 126 >> cn: ldapmaster/admin@domain >> sn: ldapmaster/admin@domain >> userPassword: {MD5}5S2YxFmBmhF3WTbY37t5KQ== >> >> Thanks >> >> >> >> -- >> 389 users mailing list >> 389-users@lists.fedoraproject.org >> https://admin.fedoraproject.org/mailman/listinfo/389-users >> > > > > > > -- > 389 users mailing list > 389-users@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- --- Gioachino Bartolotta ICQ #: 9103167 MSN Messenger: astrar...@email.it Yahoo & Skype: gioachino_bartolotta -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] About Kerberos and dirsrv
Why don't you use freeipa. This is exactly what freeipa is for. Sent on the TELUS Mobility network with BlackBerry -Original Message- From: Juan Carlos Camargo Carrillo Sender: 389-users-boun...@lists.fedoraproject.org Date: Wed, 15 Jun 2011 13:44:09 To: <389-users@lists.fedoraproject.org> Reply-To: "General discussion list for the 389 Directory server project." <389-users@lists.fedoraproject.org> Subject: Re: [389-users] About Kerberos and dirsrv -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] About Kerberos and dirsrv
To your former question, yes. Basically, and assuming you have experience with openldap: 0.- Backup your current installation or create a new 389ds instance. 1.- Configure the kdc to use ldap as a database backend. 2.- Get the 60kerberos.ldif from freeIPA (it works out of the box with 389ds) and copy it to the instance's "schema" folder. Add krb5principalname to your suffix database indexes. Restart dirsrv. 3.- Create the realm with kdb5_ldap_util. 4.- Create kerberos principals for your users 4.1 for new users , "addprinc " 4.2 for existing ldap users, "addprinc -x dn= Hi !! > > Yes, I want to use 389ds as a backend for kerberos. > > So, everything will work just if I import the schemas on 389ds? > > Another question. I have actually 2 389ds configured with multimaster > replica, and on each server there is a kdc (1 master and 1 slave). > > I have to copy the same keytab on both servers? > > Have I also to change the file /etc/sysconfig/saslauthd with these > parameters?? > > MECH_OPTIONS="" > THREADS=5 > START=yes > MECHANISMS="ldap" > OPTIONS="-m /var/run/saslauthd > > Then ... I am missing something else?? > > Thank you. > > 2011/6/15 Juan Carlos Camargo Carrillo : > > Hi, > > > > It depends. If you want to use 389ds as a Kerberos database backend then > > you should import the schema into the directory and yes, you'll need to > > create principals or modify the existing ldap entries to accept kerberos > > attributes, as you've said you did with openldap. I've done it with my > > 389ds lab and it works. > > > > El mié, 15-06-2011 a las 12:08 +0200, Gioachino Bartolotta escribió: > > > > Hi all, > > > > I have a problem in setup kerberos with 389 and I tried to do using > > the documents available on 389 site and RedHat. > > > > I followed everything, but I am unable to get the initial ticket from > > kerberos. Have I to add these records as I have always done with > > openldap?? > > > > dn: ou=KerberosPrincipals,ou=Users,dc=domain > > ou: KerberosPrincipals > > objectClass: top > > objectClass: organizationalUnit > > > > dn: > > krb5PrincipalName=ldapmaster/admin@DOMAN,ou=KerberosPrincipals,ou=Users,dc=domain > > objectClass: top > > objectClass: person > > objectClass: krb5Principal > > objectClass: krb5KDCEntry > > krb5PrincipalName: ldapmaster/admin@DOMAIN > > krb5KeyVersionNumber: 1 > > krb5MaxLife: 86400 > > krb5MaxRenew: 604800 > > krb5KDCFlags: 126 > > cn: ldapmaster/admin@domain > > sn: ldapmaster/admin@domain > > userPassword: {MD5}5S2YxFmBmhF3WTbY37t5KQ== > > > > Thanks > > > > > > > > -- > > 389 users mailing list > > 389-users@lists.fedoraproject.org > > https://admin.fedoraproject.org/mailman/listinfo/389-users > > > > > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] About Kerberos and dirsrv
Hi, It depends. If you want to use 389ds as a Kerberos database backend then you should import the schema into the directory and yes, you'll need to create principals or modify the existing ldap entries to accept kerberos attributes, as you've said you did with openldap. I've done it with my 389ds lab and it works. El mié, 15-06-2011 a las 12:08 +0200, Gioachino Bartolotta escribió: > Hi all, > > I have a problem in setup kerberos with 389 and I tried to do using > the documents available on 389 site and RedHat. > > I followed everything, but I am unable to get the initial ticket from > kerberos. Have I to add these records as I have always done with > openldap?? > > dn: ou=KerberosPrincipals,ou=Users,dc=domain > ou: KerberosPrincipals > objectClass: top > objectClass: organizationalUnit > > dn: > krb5PrincipalName=ldapmaster/admin@DOMAN,ou=KerberosPrincipals,ou=Users,dc=domain > objectClass: top > objectClass: person > objectClass: krb5Principal > objectClass: krb5KDCEntry > krb5PrincipalName: ldapmaster/admin@DOMAIN > krb5KeyVersionNumber: 1 > krb5MaxLife: 86400 > krb5MaxRenew: 604800 > krb5KDCFlags: 126 > cn: ldapmaster/admin@domain > sn: ldapmaster/admin@domain > userPassword: {MD5}5S2YxFmBmhF3WTbY37t5KQ== > > Thanks > -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users