[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: importing an existing base into ldap

On May 27, 2008, at 10:34 PM, Love Hörnquist Åstrand wrote:

> 27 maj 2008 kl. 04.56 skrev Guillaume Rousse:
>> Javier Palacios a écrit :
>>>> 2008-05-23T15:38:48 hdb_store: ldap_add_s:  
>>>> (DN
>>>> =
>>>> krb5PrincipalName
>>>> =noe@LILLE.FUTURS.INRIA.FR,ou=kerberos,dc=futurs,dc=inria,dc=fr- 
>>>> NEW)
>>>> Server is unwilling to perform: no global superior knowledge
>>> No idea about the -NEW but another alternative approach. It is so
>>> obvious that might be not attempted. Just dump your current KDC,  
>>> setup
>>> a new heimdal-ldap and restore the principals from the dump.
>> I sometimes feel stupid...
>> OK, it works, but it chokes on some principals, by trying to create  
>> entries without the attribute used in the DN:
>> kadmin: db_store: ldap_modify_s: http/ovirt2.lille.inria.fr@LILLE.FUTURS.INRIA.FR 
>>  (DN=krb5PrincipalName=HTTP/ovirt2.lille.inria.fr@LILLE.FUTURS.INRIA.FR 
>> ,ou=kerberos,dc=futurs,dc=inria,dc=fr) Naming violation: value of  
>> naming attribute 'krb5PrincipalName' is not present in entry
>> Looking at the dump, it seems to be a case issue, as I got a HTTP/ovirt2.lille.inria.fr@LILLE.FUTURS.INRIA.FR 
>>  principal, imported correctly, followed by a http/ovirt2.lille.inria.fr@LILLE.FUTURS.INRIA.FR 
>>  one, which triggered
>> the error.
>> According to the ldap schema, krb5PrincipalName is case sensitive  
>> (EQUALITY caseExactIA5Match), so should be the DN also.
> Can you remove the lowercase entry and make the dump pass ? The  
> lowercase http/fqdn should only be used by older safari's (if I  
> remember correctly)
> Love

Pretty sure that's right:  Safari 2 in early Tiger.  Safari 1 in  
Panther did something even more broken.  They seem to have it right  
now (late Tiger and Leopard).

The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu