[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: knowing which schema(s) to use



On 05/16/2017 05:05 PM, Ryan Tandy wrote:

On Tue, May 16, 2017 at 03:23:59PM -0400, Prentice Bisbal wrote:
1. Kerberos attributes in "new" kerberos schema start with 'krb' instead of 'krb5'

Are you sure they are only older/newer versions of the same schema? That sounds to me like one of them is the MIT schema and the other is Heimdal. AFAIK the data formats are not really compatible despite the similar names for things.

MIT schema: https://github.com/krb5/krb5/blob/master/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema Heimdal schema: https://github.com/heimdal/heimdal/blob/master/lib/hdb/hdb.schema

No, I can't be 100% sure they're newer/older versions of the same schema. The system admins I inherited this directory from are no longer working here, and they didn't document any of their work, so I have no idea where the older kerberos.schema file originated from.

The newer one that I am using now, the one with 'krb' instead of 'krb5' is provided by CentOS 6 as part of the krb5-server-ldap RPM. Querying this package indicates that it's from MIT's kerberos. We're actually using AD for our KDC, so I should use whatever is compatible with that. A quick Google search seems to indicate that AD is compatible with MIT kerberos, but I couldn't find any conclusive statements to that fact.

I'll compare both schemas above to what I'm using now.

Worth noting is that MIT has 'krbPrincipal' and 'krbPrincipalAux' but in Heimdal, 'krb5Principal' itself is already AUXILIARY.

Hmmm... that would indicate that the old Kerberos schema was Heimdal Kerberos.

Both of these are easy to fix - just use sed to change 'krb5' to 'krb', and then change 'krbPrincipal' to 'krbPrincipalAux', but is this really the best/safest way to make these changes. Also, what happens to apps that are looking for the 'krb5' instead of 'krb' and vice-versa?

Right, you can't just go modifying schema without also modifying the applications that have the names and expectations baked into them. Generally the correct schema to use is the one supplied with the software itself - in this case, whichever KDC you are using should have a copy of the appropriate schema shipped with it.

That's what scares me. Sure, my changes allowed me to import the directory data with slapadd, but what happens when a critical application like SSSD is actually looking for the other attribute name?

It looks like I've got some work to do to make sure I'm using the correct schemas.

Prentice