[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: knowing which schema(s) to use
- To: openldap-technical@openldap.org
- Subject: Re: knowing which schema(s) to use
- From: Prentice Bisbal <pbisbal@pppl.gov>
- Date: Wed, 17 May 2017 15:44:50 -0400
- Content-language: en-US
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pppl-gov.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=G4mPqeUiscLZtE2dKT0VSSNE2uiM3qXG3bRPPw5UAJ0=; b=DMtoWMXUdPF8Eqo6DLHxJ8hVd+2G+7fS7qcVKnyvqwKtl0g5aFXxq7nMithZXMQ8wT VyiYa9YoL7vFMGCpXmgZKUJbitl4M7FVe0mxfOWLJsrOWfp96w4Ef60x3wBP4uTVgdcE +uvXCApEuNN/pHHGc0lDo8fd6cqpC16DfSu65taTjlH31Oc8TMsbtmwIwlmGy8TF5g7M ZQyoypn8YjantV8+ojFiZTRAmL61iBjnk6BRuXtCrggFC4Uh3u7C2cp/JREwaSdNglLK ARD0JiT4gE47q4UMHoa8QwWaowA0bMWzhoK5m131OzGVZdIGa+v+6q7dsf8XS3w03QZs mvYA==
- In-reply-to: <20170516210517.GA2164@comet.nardis.ca>
- References: <2c2e846e-086d-d8a2-a110-18d9e92c5c9c@pppl.gov> <20170516210517.GA2164@comet.nardis.ca>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0
On 05/16/2017 05:05 PM, Ryan Tandy wrote:
On Tue, May 16, 2017 at 03:23:59PM -0400, Prentice Bisbal wrote:
1. Kerberos attributes in "new" kerberos schema start with 'krb'
instead of 'krb5'
Are you sure they are only older/newer versions of the same schema?
That sounds to me like one of them is the MIT schema and the other is
Heimdal. AFAIK the data formats are not really compatible despite the
similar names for things.
MIT schema:
https://github.com/krb5/krb5/blob/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
Heimdal schema:
https://github.com/heimdal/heimdal/blob/master/lib/hdb/hdb.schema
No, I can't be 100% sure they're newer/older versions of the same
schema. The system admins I inherited this directory from are no longer
working here, and they didn't document any of their work, so I have no
idea where the older kerberos.schema file originated from.
The newer one that I am using now, the one with 'krb' instead of 'krb5'
is provided by CentOS 6 as part of the krb5-server-ldap RPM. Querying
this package indicates that it's from MIT's kerberos. We're actually
using AD for our KDC, so I should use whatever is compatible with that.
A quick Google search seems to indicate that AD is compatible with MIT
kerberos, but I couldn't find any conclusive statements to that fact.
I'll compare both schemas above to what I'm using now.
Worth noting is that MIT has 'krbPrincipal' and 'krbPrincipalAux' but
in Heimdal, 'krb5Principal' itself is already AUXILIARY.
Hmmm... that would indicate that the old Kerberos schema was Heimdal
Kerberos.
Both of these are easy to fix - just use sed to change 'krb5' to
'krb', and then change 'krbPrincipal' to 'krbPrincipalAux', but is
this really the best/safest way to make these changes. Also, what
happens to apps that are looking for the 'krb5' instead of 'krb' and
vice-versa?
Right, you can't just go modifying schema without also modifying the
applications that have the names and expectations baked into them.
Generally the correct schema to use is the one supplied with the
software itself - in this case, whichever KDC you are using should
have a copy of the appropriate schema shipped with it.
That's what scares me. Sure, my changes allowed me to import the
directory data with slapadd, but what happens when a critical
application like SSSD is actually looking for the other attribute name?
It looks like I've got some work to do to make sure I'm using the
correct schemas.
Prentice