Am 26.09.23 um 16:23 schrieb Uwe Sauter:
Am 26.09.23 um 15:38 schrieb Marc:
I'm currently experimenting with (MIT) Kerberos and got to the point where I need to add the Kerberos definitions to LDAP (krb5-kdc.ldif). (This is on Rocky Linux 9 with symas-openldap- servers-2.6.6-1.el9.x86_64.)
First question: is this the correct schema file or should I use the one provided by MIT Kerberos 1.20.1 (/usr/share/doc/krb5-server-ldap/kerberos.ldif) ?
If I use krb5-kdc.ldif I get the following:
[root@gateway ~]# cd /opt/symas/etc/openldap/schema/ [root@gateway schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f krb5-kdc.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=krb5-kdc,cn=schema,cn=config" ldap_add: Constraint violation (19) additional info: structuralObjectClass: no user modification allowed
This is what works (recently tested) when I create containers, see if this one works (this is everything on one line)
ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f sendmail.ldif
This worked but your sendmail.ldif doesn't contain 'structuralObjectClass' like krb5-kdc.ldif does. krb5-kdc.ldif also contains lines with 'structuralObjectClass', 'entryUUID', 'creatorsName', 'createTimestamp', 'modifiersName', 'modifyTimestamp' and 'entryCSN'.
Is my fundamental error here, that krb5-kdc.ldif needs to be added by slapadd instead of lapadd?
Having a closer look at kerberos.ldif I see that there are no lines containing 'olc'. It seems that this is still in the old 'schema' format although kerberos.ldif and kerberos.schema provided by MIT differ… I'm getting the impression that both files are still for the old 'slapd.conf' configuration style, one to be used with slapadd, the other with ldapadd.
Further investigation showed that there is a working 'slapd.d' style file provided by MIT at https://raw.githubusercontent.com/krb5/krb5/master/src/plugins/kdb/ldap/libk...
This one works both with slapadd and ldapadd.
So some questions still remain: which file should be used? Symas' krb5-kdc.ldif or MIT's kerberos.openldap.ldif? Are the equivalent? Is krb5-kdc.ldif an schema definition independent of the Kerberos server implementation (MIT/Heimdal/…)?