[prev in list] [next in list] [prev in thread] [next in thread] 

List:       krbdev
Subject:    Re: Difference between kerberos.openldap.ldif and kerberos.ldif; why kdb5_ldap_util create does not 
From:       Greg Hudson <ghudson () mit ! edu>
Date:       2019-08-30 23:45:53
Message-ID: 25dbcd2f-7693-e202-271a-6279ee88af69 () mit ! edu
[Download RAW message or body]

On 8/30/19 4:53 PM, Дилян Палаузов wrote:
> • what is the difference between
> krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema ,
> krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif and
> krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif ?

The .schema file is intended for consumption by old-style OpenLDAP
configuration files.  The .ldif file is intended for consumption by
Netscape-derived LDAP servers, I believe, while the .openldap.ldif file
was added more recently for consumption by OpenLDAP cn=config.

> https://web.mit.edu/kerberos/krb5-devel/doc/admin/advanced/ldapbackend.html \
> suggests doing conversions and [...]

That page was written before kerberos.openldap.ldif was added and hasn't
been revised.  I will make a note to update it.

> Why do I have to pass -H in order to see the domains:

I think because of the [dbdefaults] ldap_servers issue described later.

> • The documentation at \
> https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html#dbdefaults \
> suggests, that if ldap_servers = ldapi://%2Fvar%2Frun%2Fldapi is in the \
> [dbdefaults] section, then it does not have to be listed in a module within \
> [dbmodules].  I cannot confirm this.

This appears to be a long-standing documentation error.  I will correct
the documentation to remove ldap_servers from the list of LDAP variables
which can appear in [dbdefaults].
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


[prev in list] [next in list] [prev in thread] [next in thread]