Next: , Previous: Setting up DNS, Up: Setting up a realm


4.16 Using LDAP to store the database

This document describes how to install the LDAP backend for Heimdal. Note that before attempting to configure such an installation, you should be aware of the implications of storing private information (such as users' keys) in a directory service primarily designed for public information. Nonetheless, with a suitable authorisation policy, it is possible to set this up in a secure fashion. A knowledge of LDAP, Kerberos, and C is necessary to install this backend. The HDB schema was devised by Leif Johansson.

This assumes, OpenLDAP 2.3 or later.

Requirements:

4.16.1 smbk5pwd overlay

The smbk5pwd overlay, updates the krb5Key and krb5KeyVersionNumber appropriately when it receives an LDAP Password change Extended Operation:

http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd/README?hideattic=1&sortbydate=0

4.16.2 Troubleshooting guide

https://sec.miljovern.no/bin/view/Info/TroubleshootingGuide

4.16.3 Using Samba LDAP password database

The Samba domain and the Kerberos realm can have different names since arcfour's string to key functions principal/realm independent. So now will be your first and only chance name your Kerberos realm without needing to deal with old configuration files.

First, you should set up Samba and get that working with LDAP backend.

Now you can proceed as in See Using LDAP to store the database. Heimdal will pick up the Samba LDAP entries if they are in the same search space as the Kerberos entries.