f



Renaming a Kerberos realm (all principal info stored in LDAP DIT)

--9amGYk9869ThD9tj
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline

Hi,

I would like to know whether it's possible to rename a Kerberos realm
when all Kerberos related info is stored in an LDAP DIT (OpenLDAP and
MIT Kerberos running an Debian Lenny AMD64)?

Reason for this is that I will move my KDC to a new internal subnet
(having a new internal DNS domain) and I would like my Kerberos realm
to be "in sync" with the new DNS domain name.

The Kerberos related info is stored in an "ou" (organizationUnit)
subtree named "krb5" (initially populated with kdb5_ldap_util).

Is it "safe" to

- shutdown both KDC and kadmin server
  /etc/init.d/krb5-kdc stop
  /etc/init.d/krb5-admin-server stop
- shutdown OpenLDAP (/etc/init.d/slapd stop)
- dump the DIT (slpcat -l <file_name>)
- open DIT file in editor and change all occurrences from
  MY.OLD.REALM to MY.NEW.REALM
- modify the realm name in /etc/krb5.conf and /etc/krb5kdc/kdc.conf
  accordingly
- delete old LDAP databases
- start OpenLDAP in order to obtain a fresh database
  (/etc/init.d/slapd start)
- shutdown OpenLDAP again (/etc/init.d/slapd stop)
- add DIT again (slapadd -l <file_name>)
- restart OpenLDAP (/etc/init.d/slapd start)

or did I forget any relevant step(s)/substep(s)?

Thanks in advance for sharing your thoughts & kind regards,

     Holger

--9amGYk9869ThD9tj
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkwXSjwACgkQbiVtWpZdKQKAKACfXn9bChYj52fmJmTRxy//Jn99
dPcAn2hJ/T2DD0QASiIWb3ZM5Xwpk/j6
=db3W
-----END PGP SIGNATURE-----

--9amGYk9869ThD9tj--
0
6/15/2010 9:39:08 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

0 Replies
489 Views

Similar Articles

[PageSpeed] 44

Reply: