Re: importing an existing base into ldap

[Love Hörnquist Åstrand <lha@kth.se>]

21 maj 2008 kl. 08.06 skrev Guillaume Rousse:

> Hello list.
>
> I'm trying to setup an ldap backend for heimdal. I was interested  
> bing able to import an already existing one, if possible.
>
> I created a principal in my LDAP backend, corresponding to one  
> already present in my existing base, and copied the two numerical  
> values (fields 4 and 8 using : as field separator) found in database  
> dump looking like encrypted keys as LDAP krb5Key attribute. However,  
> it doesn't work:
> [rousse@stalingrad Desktop]$ kinit
> rousse@SACLAY.INRIA.FR's Password:
> kinit: krb5_get_init_creds: KDC has no support for encryption type
>
> Of course, the database key is the same.
>
> Am I over-optimist here :) ?

Its possible for sure. Your problem is that kadmin dump produces  
something diffrent then what the ldap backend code expected.

The easist way to deal with this is to patch lib/hdb/print.c to  
instead of printing :mkvno:enctype:keydata instead dumped
:mkvno:enctype:hexcode(der-code(Key))

This should not be a hard problem.

Compare lib/hdb/print.c:entry2string_int() and lib/hdb/hdb- 
ldap:LDAP_entry2mods() around:
	    ASN1_MALLOC_ENCODE(Key, buf, buf_size, &ent->entry.keys.val[i],  
&len, ret);

Love