I'm currently experimenting with (MIT) Kerberos and got to the point where I need to add the Kerberos definitions to LDAP (krb5-kdc.ldif). (This is on Rocky Linux 9 with symas-openldap- servers-2.6.6-1.el9.x86_64.)
First question: is this the correct schema file or should I use the one provided by MIT Kerberos 1.20.1 (/usr/share/doc/krb5-server-ldap/kerberos.ldif) ?
If I use krb5-kdc.ldif I get the following:
[root@gateway ~]# cd /opt/symas/etc/openldap/schema/ [root@gateway schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f krb5-kdc.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=krb5-kdc,cn=schema,cn=config" ldap_add: Constraint violation (19) additional info: structuralObjectClass: no user modification allowed
This is what works (recently tested) when I create containers, see if this one works (this is everything on one line)
ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f sendmail.ldif
dn: cn=sendmail,cn=schema,cn=config objectClass: olcSchemaConfig cn: sendmail olcAttributeTypes: {0}( 1.3.6.1.4.1.6152.10.3.1.10 NAME 'sendmailMTACluster' DESC 'cluster name associated with a set of MTAs' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) olcAttributeTypes: {1}( 1.3.6.1.4.1.6152.10.3.1.11 NAME 'sendmailMTAHost' DESC 'host name associated with a MTA cluster' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) olcAttributeTypes: {2}( 1.3.6.1.4.1.6152.10.3.1.13 NAME 'sendmailMTAKey' DESC 'key (left hand side) of an aliases or map entry' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) olcAttributeTypes: {3}( 1.3.6.1.4.1.6152.10.3.1.14 NAME 'sendmailMTAMapName' DESC 'identifier for the particular map' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE ) olcAttributeTypes: {4}( 1.3.6.1.4.1.6152.10.3.1.16 NAME 'sendmailMTAMapValue' DESC 'value (right hand side) of a map entry' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {5}( 1.3.6.1.4.1.6152.10.3.1.24 NAME 'sendmailMTAMapSearch' DESC 'recursive search for values of a map entry' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {6}( 1.3.6.1.4.1.6152.10.3.1.25 NAME 'sendmailMTAMapURL' DESC 'recursive search URL for values of a map entry' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {7}( 1.3.6.1.4.1.6152.10.3.1.18 NAME 'sendmailMTAAliasGrouping' DESC 'name that identifies a particular aliases grouping' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} ) olcAttributeTypes: {8}( 1.3.6.1.4.1.6152.10.3.1.20 NAME 'sendmailMTAAliasValue' DESC 'value (right hand side) of an alias' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {9}( 1.3.6.1.4.1.6152.10.3.1.26 NAME 'sendmailMTAAliasSearch' DESC 'recursive search for values of an alias' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {10}( 1.3.6.1.4.1.6152.10.3.1.27 NAME 'sendmailMTAAliasURL' DESC 'recursive search URL for values of an alias' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {11}( 1.3.6.1.4.1.6152.10.3.1.22 NAME 'sendmailMTAClassName' DESC 'identifier for the class' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE ) olcAttributeTypes: {12}( 1.3.6.1.4.1.6152.10.3.1.23 NAME 'sendmailMTAClassValue' DESC 'member of a class' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {13}( 1.3.6.1.4.1.6152.10.3.1.28 NAME 'sendmailMTAClassSearch' DESC 'recursive search for members of a class' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcAttributeTypes: {14}( 1.3.6.1.4.1.6152.10.3.1.29 NAME 'sendmailMTAClassURL' DESC 'recursive search URL for members of a class' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.4.1.6152.10.3.2.10 NAME 'sendmailMTA' DESC 'Sendmail MTA definition' SUP top STRUCTURAL MAY ( sendmailMTACluster $ sendmailMTAHost $ Description ) ) olcObjectClasses: {1}( 1.3.6.1.4.1.6152.10.3.2.11 NAME 'sendmailMTAMap' DESC 'Sendmail MTA map definition' SUP sendmailMTA STRUCTURAL MUST sendmailMTAMapName MAY ( sendmailMTACluster $ sendmailMTAHost $ Description ) ) olcObjectClasses: {2}( 1.3.6.1.4.1.6152.10.3.2.12 NAME 'sendmailMTAMapObject' DESC 'Sendmail MTA map object' SUP sendmailMTAMap STRUCTURAL MUST ( sendmailMTAMapName $ sendmailMTAKey ) MAY ( sendmailMTACluster $ sendmailMTAHost $ sendmailMTAMapValue $ sendmailMTAMapSearch $ sendmailMTAMapURL $ Description ) ) olcObjectClasses: {3}( 1.3.6.1.4.1.6152.10.3.2.13 NAME 'sendmailMTAAlias' DESC 'Sendmail MTA alias definition' SUP sendmailMTA STRUCTURAL MAY ( sendmailMTAAliasGrouping $ sendmailMTACluster $ sendmailMTAHost $ Description ) ) olcObjectClasses: {4}( 1.3.6.1.4.1.6152.10.3.2.14 NAME 'sendmailMTAAliasObject' DESC 'Sendmail MTA alias object' SUP sendmailMTAAlias STRUCTURAL MUST sendmailMTAKey MAY ( sendmailMTAAliasGrouping $ sendmailMTACluster $ sendmailMTAHost $ sendmailMTAAliasValue $ sendmailMTAAliasSearch $ sendmailMTAAliasURL $ Description ) ) olcObjectClasses: {5}( 1.3.6.1.4.1.6152.10.3.2.15 NAME 'sendmailMTAClass' DESC 'Sendmail MTA class definition' SUP sendmailMTA STRUCTURAL MUST sendmailMTAClassName MAY ( sendmailMTACluster $ sendmailMTAHost $ sendmailMTAClassValue $ sendmailMTAClassSearch $ sendmailMTAClassURL $ Description ) ) ~