Am 26.09.23 um 15:38 schrieb Marc:
I'm currently experimenting with (MIT) Kerberos and got to the point where
I need to add the Kerberos definitions to
LDAP (krb5-kdc.ldif). (This is on Rocky Linux 9 with symas-openldap-
servers-2.6.6-1.el9.x86_64.)
First question: is this the correct schema file or should I use the one
provided by MIT Kerberos 1.20.1
(/usr/share/doc/krb5-server-ldap/kerberos.ldif) ?
If I use krb5-kdc.ldif I get the following:
[root@gateway ~]# cd /opt/symas/etc/openldap/schema/
[root@gateway schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f krb5-kdc.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=krb5-kdc,cn=schema,cn=config"
ldap_add: Constraint violation (19)
additional info: structuralObjectClass: no user modification
allowed
This is what works (recently tested) when I create containers, see if this one
works (this is everything on one line)
ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f sendmail.ldif
This worked but your sendmail.ldif doesn't contain 'structuralObjectClass' like krb5-kdc.ldif does. krb5-kdc.ldif also
contains lines with 'structuralObjectClass', 'entryUUID', 'creatorsName', 'createTimestamp', 'modifiersName',
'modifyTimestamp' and 'entryCSN'.
Is my fundamental error here, that krb5-kdc.ldif needs to be added by slapadd
instead of lapadd?
Having a closer look at kerberos.ldif I see that there are no lines containing 'olc'. It seems that this is still in the
old 'schema' format although kerberos.ldif and kerberos.schema provided by MIT differ… I'm getting the impression that
both files are still for the old 'slapd.conf' configuration style, one to be used with slapadd, the other with ldapadd.
