[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: knowing which schema(s) to use
On Tue, May 16, 2017 at 03:23:59PM -0400, Prentice Bisbal wrote:
1. Kerberos attributes in "new" kerberos schema start with 'krb'
instead of 'krb5'
Are you sure they are only older/newer versions of the same schema? That
sounds to me like one of them is the MIT schema and the other is
Heimdal. AFAIK the data formats are not really compatible despite the
similar names for things.
MIT schema: https://github.com/krb5/krb5/blob/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
Heimdal schema: https://github.com/heimdal/heimdal/blob/master/lib/hdb/hdb.schema
Worth noting is that MIT has 'krbPrincipal' and 'krbPrincipalAux' but in
Heimdal, 'krb5Principal' itself is already AUXILIARY.
Both of these are easy to fix - just use sed to change 'krb5' to
'krb', and then change 'krbPrincipal' to 'krbPrincipalAux', but is
this really the best/safest way to make these changes. Also, what
happens to apps that are looking for the 'krb5' instead of 'krb' and
vice-versa?
Right, you can't just go modifying schema without also modifying the
applications that have the names and expectations baked into them.
Generally the correct schema to use is the one supplied with the
software itself - in this case, whichever KDC you are using should have
a copy of the appropriate schema shipped with it.