Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Mail Systems
Eclipse Documentation

How To Guides
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Problem Solutions
Privacy Policy




System Administration Guide: Security Services
Previous Next

Managing a KDC on an LDAP Directory Server

Most of the KDC administration tasks using an LDAP Directory Server are the same as those for the DB2 server. There are some new tasks that are specific to working with LDAP.

Table 23-3 Configuring KDC Servers (Task Map)



For Instructions

Configuring a Master KDC

Configures and builds the master KDC server and database for a realm using a manual process and using LDAP for the KDC..

How to Configure a KDC to Use an LDAP Data Server

Mix Kerberos principal attributes with non-Kerberos object class types.

Allows information stored with the Kerberos records to be shared with other LDAP databases.

How to Mix Kerberos Principal Attributes in a Non-Kerberos Object Class Type

Destroy a Realm

Removes all of the data associated with a realm

How to Destroy a Realm on an LDAP Directory Server

How to Mix Kerberos Principal Attributes in a Non-Kerberos Object Class Type

This procedure allows for Kerberos principal attributes to be associated with non-Kerberos object class types. In this procedure the krbprincipalaux, and krbTicketPolicyAux and krbPrincipalName attributes are associated with the people object class.

In this procedure, the following configuration parameters are used:

  1. Become superuser.
  2. Prepare each entry in the people object class.

    Repeat this step for each entry.

    cat << EOF | ldapmodify -h -D "cn=directory manager"
    dn: uid=willf,ou=people,dc=example,dc=com
    changetype: modify
    objectClass: krbprincipalaux
    objectClass: krbTicketPolicyAux
    krbPrincipalName: [email protected]
  3. Add a subtree attribute to the realm container.

    This step allows for searching of principal entries in the ou=people,dc=example,dc=com container, as well as in the default EXAMPLE.COM container.

    # kdb5_ldap_util -D "cn=directory manager" modify \
                -subtrees 'ou=people,dc=example,dc=com' -r EXAMPLE.COM
  4. (Optional) If the KDC records are stored in DB2, migrate DB2 entries.
    1. Dump the DB2 entries.
      # kdb5_util dump > dumpfile
    2. Load the database into the LDAP server.
      # kdb5_util load -update dumpfile
  5. (Optional) Add the principal attributes to the KDC.
    # kadmin.local -q 'addprinc willf'

How to Destroy a Realm on an LDAP Directory Server

This procedure can be used if a different LDAP Directory Server has been configured to handle a realm.

  1. Become superuser.
  2. Destroy the realm.
    # kdb5_ldap_util -D "cn=directory manager" destroy
Previous Next

  Published under the terms fo the Public Documentation License Version 1.01. Design by Interspire