[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: knowing which schema(s) to use



On Tue, May 16, 2017 at 03:23:59PM -0400, Prentice Bisbal wrote:
1. Kerberos attributes in "new" kerberos schema start with 'krb' instead of 'krb5'

Are you sure they are only older/newer versions of the same schema? That sounds to me like one of them is the MIT schema and the other is Heimdal. AFAIK the data formats are not really compatible despite the similar names for things.

MIT schema: https://github.com/krb5/krb5/blob/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
Heimdal schema: https://github.com/heimdal/heimdal/blob/master/lib/hdb/hdb.schema

Worth noting is that MIT has 'krbPrincipal' and 'krbPrincipalAux' but in Heimdal, 'krb5Principal' itself is already AUXILIARY.

Both of these are easy to fix - just use sed to change 'krb5' to 'krb', and then change 'krbPrincipal' to 'krbPrincipalAux', but is this really the best/safest way to make these changes. Also, what happens to apps that are looking for the 'krb5' instead of 'krb' and vice-versa?

Right, you can't just go modifying schema without also modifying the applications that have the names and expectations baked into them. Generally the correct schema to use is the one supplied with the software itself - in this case, whichever KDC you are using should have a copy of the appropriate schema shipped with it.