krb5 / ldap: correspondência de nome de domínio com nomeação de diretórioContext

Question

O nome não precisa corresponder. Você só precisa obter as permissões corretas.

Este é um exemplo funcional, embora não ideal, deste conceito:

$ ldapsearch -Q -LLL -h ldap1.example.com -b cn=krbcontainer -s one objectclass @krbRealmContainer
dn: cn=EXAMPLE.COM,cn=krbContainer
cn: EXAMPLE.COM
objectClass: top
objectClass: krbRealmContainer
objectClass: krbTicketPolicyAux
krbSubTrees: ou=people,dc=example,dc=com

dn: cn=kadmin-service,cn=krbContainer
objectClass: krbKdcService
objectClass: simpleSecurityObject
cn: kadmin-service

dn: cn=kdc-service,cn=krbContainer
objectClass: krbKdcService
objectClass: simpleSecurityObject
cn: kdc-service



ldap1 ~ # cat /etc/krb5.conf
#krb5.conf
[libdefaults]

[realms]
EXMAPLE.COM = {
        admin_server = ldap1.example.com
        kdc = ldap1.example.com
        database_module = openldap_ldapconf
}

[logging]
kdc = SYSLOG:INFO:AUTH
admin_server = SYSLOG:INFO:AUTH

[dbdefaults]
ldap_kerberos_container_dn = cn=krbContainer

[dbmodules]
openldap_ldapconf = {
        db_library = ldap
        ldap_kerberos_container_dn = cn=krbContainer
        ldap_kdc_dn = "cn=kdc-service,cn=krbContainer"
        # this object needs to have read rights on
        # the realm container and principal subtrees
        ldap_kadmind_dn = "cn=kadmin-service,cn=krbContainer"
        # this object needs to have read and write rights on
        # the realm container and principal subtrees
        ldap_service_password_file = /etc/krb5kdc.keyfile
        ldap_servers = ldapi:///
        ldap_conns_per_server = 5
}

Answer 1

O nome não precisa corresponder. Você só precisa obter as permissões corretas.

Este é um exemplo funcional, embora não ideal, deste conceito:

$ ldapsearch -Q -LLL -h ldap1.example.com -b cn=krbcontainer -s one objectclass @krbRealmContainer
dn: cn=EXAMPLE.COM,cn=krbContainer
cn: EXAMPLE.COM
objectClass: top
objectClass: krbRealmContainer
objectClass: krbTicketPolicyAux
krbSubTrees: ou=people,dc=example,dc=com

dn: cn=kadmin-service,cn=krbContainer
objectClass: krbKdcService
objectClass: simpleSecurityObject
cn: kadmin-service

dn: cn=kdc-service,cn=krbContainer
objectClass: krbKdcService
objectClass: simpleSecurityObject
cn: kdc-service



ldap1 ~ # cat /etc/krb5.conf
#krb5.conf
[libdefaults]

[realms]
EXMAPLE.COM = {
        admin_server = ldap1.example.com
        kdc = ldap1.example.com
        database_module = openldap_ldapconf
}

[logging]
kdc = SYSLOG:INFO:AUTH
admin_server = SYSLOG:INFO:AUTH

[dbdefaults]
ldap_kerberos_container_dn = cn=krbContainer

[dbmodules]
openldap_ldapconf = {
        db_library = ldap
        ldap_kerberos_container_dn = cn=krbContainer
        ldap_kdc_dn = "cn=kdc-service,cn=krbContainer"
        # this object needs to have read rights on
        # the realm container and principal subtrees
        ldap_kadmind_dn = "cn=kadmin-service,cn=krbContainer"
        # this object needs to have read and write rights on
        # the realm container and principal subtrees
        ldap_service_password_file = /etc/krb5kdc.keyfile
        ldap_servers = ldapi:///
        ldap_conns_per_server = 5
}

krb5 / ldap: correspondência de nome de domínio com nomeação de diretórioContext

Responder1

informação relacionada