[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: importing an existing base into ldap

To: heimdal-discuss@sics.se, Guillaume Rousse <Guillaume.Rousse@inria.fr>
Subject: Re: importing an existing base into ldap
From: Love Hörnquist Åstrand <lha@kth.se>
Date: Tue, 27 May 2008 22:34:38 -0700
Cc: Javier Palacios <javiplx@gmail.com>
In-Reply-To: <483BF6F6.9080804@inria.fr>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <48343A75.2020100@inria.fr> <a64bf030805220055v221c1f4m8c771bc69684fc8f@mail.gmail.com> <48352B55.60606@inria.fr> <a64bf030805220121j1d4ea83l9c6dcf7485b6b1ba@mail.gmail.com> <4836CDD8.3020204@inria.fr> <a64bf030805250256i5a9101a4xc6bbfa3f63a51e69@mail.gmail.com> <483BF6F6.9080804@inria.fr>
Reply-To: heimdal-discuss@sics.se, Love Hörnquist Åstrand <lha@kth.se>


27 maj 2008 kl. 04.56 skrev Guillaume Rousse:

> Javier Palacios a écrit :
>>> 2008-05-23T15:38:48 hdb_store: ldap_add_s: noe@LILLE.FUTURS.INRIA.FR
>>> (DN
>>> =
>>> krb5PrincipalName
>>> =noe@LILLE.FUTURS.INRIA.FR,ou=kerberos,dc=futurs,dc=inria,dc=fr-NEW)
>>> Server is unwilling to perform: no global superior knowledge
>>>
>> No idea about the -NEW but another alternative approach. It is so
>> obvious that might be not attempted. Just dump your current KDC,  
>> setup
>> a new heimdal-ldap and restore the principals from the dump.
> I sometimes feel stupid...
>
> OK, it works, but it chokes on some principals, by trying to create  
> entries without the attribute used in the DN:
>
> kadmin: db_store: ldap_modify_s: http/ovirt2.lille.inria.fr@LILLE.FUTURS.INRIA.FR 
>  (DN=krb5PrincipalName=HTTP/ovirt2.lille.inria.fr@LILLE.FUTURS.INRIA.FR 
> ,ou=kerberos,dc=futurs,dc=inria,dc=fr) Naming violation: value of  
> naming attribute 'krb5PrincipalName' is not present in entry
>
> Looking at the dump, it seems to be a case issue, as I got a HTTP/ovirt2.lille.inria.fr@LILLE.FUTURS.INRIA.FR 
>  principal, imported correctly, followed by a http/ovirt2.lille.inria.fr@LILLE.FUTURS.INRIA.FR 
>  one, which triggered
> the error.
>
> According to the ldap schema, krb5PrincipalName is case sensitive  
> (EQUALITY caseExactIA5Match), so should be the DN also.

Can you remove the lowercase entry and make the dump pass ? The  
lowercase http/fqdn should only be used by older safari's (if I  
remember correctly)

Love

Follow-Ups:
- Re: importing an existing base into ldap
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
- Re: importing an existing base into ldap
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

References:
- importing an existing base into ldap
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
- Re: importing an existing base into ldap
  - From: "Javier Palacios" <javiplx@gmail.com>
- Re: importing an existing base into ldap
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
- Re: importing an existing base into ldap
  - From: "Javier Palacios" <javiplx@gmail.com>
- Re: importing an existing base into ldap
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
- Re: importing an existing base into ldap
  - From: "Javier Palacios" <javiplx@gmail.com>
- Re: importing an existing base into ldap
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>

Prev by Date: Re: smbk5pwd crash for missing symbol
Next by Date: Re: kx does not work in default OSX X11 environment
Prev by thread: Re: importing an existing base into ldap
Next by thread: Re: importing an existing base into ldap
Index(es):
- Date
- Thread