0.- Backup your current installation or create a new 389ds instance.
1.- Configure the kdc to use ldap as a database backend.
2.- Get the 60kerberos.ldif from freeIPA (it works out of the box with 389ds) and copy it to the instance's "schema" folder. Add krb5principalname to your suffix database indexes. Restart dirsrv.
3.- Create the realm with kdb5_ldap_util.
4.- Create kerberos principals for your users
4.1 for new users , "addprinc <principal> "
4.2 for existing ldap users, "addprinc -x dn=<full dn of the user> <principal". This will add kerberos attributes to an existing ldap user.
Regards!
El mié, 15-06-2011 a las 13:10 +0200, Gioachino Bartolotta escribió:
Hi !! Yes, I want to use 389ds as a backend for kerberos. So, everything will work just if I import the schemas on 389ds? Another question. I have actually 2 389ds configured with multimaster replica, and on each server there is a kdc (1 master and 1 slave). I have to copy the same keytab on both servers? Have I also to change the file /etc/sysconfig/saslauthd with these parameters?? MECH_OPTIONS="" THREADS=5 START=yes MECHANISMS="ldap" OPTIONS="-m /var/run/saslauthd Then ... I am missing something else?? Thank you. 2011/6/15 Juan Carlos Camargo Carrillo <juancar@xxxxxxxxxx>: > Hi, > > It depends. If you want to use 389ds as a Kerberos database backend then > you should import the schema into the directory and yes, you'll need to > create principals or modify the existing ldap entries to accept kerberos > attributes, as you've said you did with openldap. I've done it with my > 389ds lab and it works. > > El mié, 15-06-2011 a las 12:08 +0200, Gioachino Bartolotta escribió: > > Hi all, > > I have a problem in setup kerberos with 389 and I tried to do using > the documents available on 389 site and RedHat. > > I followed everything, but I am unable to get the initial ticket from > kerberos. Have I to add these records as I have always done with > openldap?? > > dn: ou=KerberosPrincipals,ou=Users,dc=domain > ou: KerberosPrincipals > objectClass: top > objectClass: organizationalUnit > > dn: > krb5PrincipalName=ldapmaster/admin@DOMAN,ou=KerberosPrincipals,ou=Users,dc=domain > objectClass: top > objectClass: person > objectClass: krb5Principal > objectClass: krb5KDCEntry > krb5PrincipalName: ldapmaster/admin@DOMAIN > krb5KeyVersionNumber: 1 > krb5MaxLife: 86400 > krb5MaxRenew: 604800 > krb5KDCFlags: 126 > cn: ldapmaster/admin@domain > sn: ldapmaster/admin@domain > userPassword: {MD5}5S2YxFmBmhF3WTbY37t5KQ== > > Thanks > > > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users >
-- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
