Content-Type: text/plain; charset=utf-8
I would like to know whether it's possible to rename a Kerberos realm
when all Kerberos related info is stored in an LDAP DIT (OpenLDAP and
MIT Kerberos running an Debian Lenny AMD64)?
Reason for this is that I will move my KDC to a new internal subnet
(having a new internal DNS domain) and I would like my Kerberos realm
to be "in sync" with the new DNS domain name.
The Kerberos related info is stored in an "ou" (organizationUnit)
subtree named "krb5" (initially populated with kdb5_ldap_util).
Is it "safe" to
- shutdown both KDC and kadmin server
- shutdown OpenLDAP (/etc/init.d/slapd stop)
- dump the DIT (slpcat -l <file_name>)
- open DIT file in editor and change all occurrences from
MY.OLD.REALM to MY.NEW.REALM
- modify the realm name in /etc/krb5.conf and /etc/krb5kdc/kdc.conf
- delete old LDAP databases
- start OpenLDAP in order to obtain a fresh database
- shutdown OpenLDAP again (/etc/init.d/slapd stop)
- add DIT again (slapadd -l <file_name>)
- restart OpenLDAP (/etc/init.d/slapd start)
or did I forget any relevant step(s)/substep(s)?
Thanks in advance for sharing your thoughts & kind regards,
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
-----END PGP SIGNATURE-----