Adding principals

LDAP as a principal store

© 2014 Dennis Leeuw dleeuw at made-it dot com
License: GPLv2 or later

Index

    1. Supporting Users
      2.
    2. Supporting Computers
      3.

Supporting Users

To make an LDAP entry a Kerberos principal add the krbPrincipalAux object class to the entry, using a simple LDIF: 

dn: cn=dleeuw,ou=people,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: krbPrincipalAux
-
add: krbPrincipalName
krbPrincipalName: dleeuw@EXAMPLE.COM
With the cpw command of kadmin.local you can now change the key for the user. The above process has to be done for all users. Make sure you set a different password from your LDAP password (if you have a userPassword field in LDAP), which makes testing easier.

Supporting Computers

To allow machines to talk to the Kerberos database we need atleast a host principal 

dn: cn=myhost,ou=devices,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: krbPrincipalAux
-
add: krbPrincipalName
krbPrincipalName: host/myhost.example.com@EXAMPLE.COM
With the cpw command of kadmin.local you can now change the key for the device using a randomkey: 
cpw -randkey host/myhost.example.com
The above processes have to be done for all devices.