为了在LDAP上存储krb5主体条目,是否需要匹配领域名称的LDAP命名上下文(root basename)?
领域的校长
HQ.EXAMPLE.ORG
可以存储在
DC =例如,DC =组织
命名目录树的上下文?
名字根本不需要匹配。 你只需要获得权限。
这是一个工作,虽然不是理想的例子:
$ ldapsearch -Q -LLL -h ldap1.example.com -b cn=krbcontainer -s one objectclass @krbRealmContainer dn: cn=EXAMPLE.COM,cn=krbContainer cn: EXAMPLE.COM objectClass: top objectClass: krbRealmContainer objectClass: krbTicketPolicyAux krbSubTrees: ou=people,dc=example,dc=com dn: cn=kadmin-service,cn=krbContainer objectClass: krbKdcService objectClass: simpleSecurityObject cn: kadmin-service dn: cn=kdc-service,cn=krbContainer objectClass: krbKdcService objectClass: simpleSecurityObject cn: kdc-service ldap1 ~ # cat /etc/krb5.conf #krb5.conf [libdefaults] [realms] EXMAPLE.COM = { admin_server = ldap1.example.com kdc = ldap1.example.com database_module = openldap_ldapconf } [logging] kdc = SYSLOG:INFO:AUTH admin_server = SYSLOG:INFO:AUTH [dbdefaults] ldap_kerberos_container_dn = cn=krbContainer [dbmodules] openldap_ldapconf = { db_library = ldap ldap_kerberos_container_dn = cn=krbContainer ldap_kdc_dn = "cn=kdc-service,cn=krbContainer" # this object needs to have read rights on # the realm container and principal subtrees ldap_kadmind_dn = "cn=kadmin-service,cn=krbContainer" # this object needs to have read and write rights on # the realm container and principal subtrees ldap_service_password_file = /etc/krb5kdc.keyfile ldap_servers = ldapi:/// ldap_conns_per_server = 5 }