| Date: | Tue, 03 Dec 2013 21:10:13 -0500 |
| From: | Richard Basch <basch@alum.mit.edu> |
| Subject: | RE: Kerberos LDAP issues (1.11) |
| To: | krb5-bugs@mit.edu |
| CC: | "'Richard Basch'" <basch@alum.mit.edu>, richard.basch@gs.com |
In addition to the missing policy attributes I previously listed, it appears there are also missing principal attributes in the schema, such as:
krbLastAdminUnlock
From: Richard Basch [mailto:basch@alum.mit.edu]
Sent: Tuesday, December 03, 2013 8:55 PM
To: 'krb5-bugs@mit.edu'
Cc: 'Richard Basch'; 'richard.basch@gs.com'
Subject: Kerberos LDAP issues (1.11)
The schema on the web site is lacking various required attributes to support Kerberos with a LDAP backend.
http://k5wiki.kerberos.org/wiki/Kerberos.schema
When I tried creating a password policy, I encountered errors because of missing attribute definitions and discovered the following were lacking in the schema:
krbPwdAttributes
krbPwdMaxLife
krbPwdMaxRenewableLife
krbPwdAllowedKeySalts
I also am encountering issues loading a dump file (i.e. doing a conversion). Even after resolving the above missing attribute definitions, I find about 1% of the principals fail to be loaded (when using kdb5_util load –update …)
<dumpfile>(line #): cannot store principal@REALM(Database store error)
<dumpfile>(line #): cannot read dump entry header
I plan to enable additional debugging to determine the cause of the above, but I know the dump file is fine because the same dump file can be loaded into a db2 backend without issue.