具有LDAP后端的Kerberos仍然使用db2

我已经安装并configuration了LDAP，安装并configuration了kerberos以使用LDAP作为后端，如下所示：

[dbdefaults] ldap_kerberos_container_dn = dc=voltage,dc=com [dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=admin,dc=voltage,dc=com" # this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=admin,dc=voltage,dc=com" # this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldap://ldap.voltage.com ldap_conns_per_server = 5 }

但是，当我进入kadmin.local并尝试：

 addprinc -x dn="uid=sam,ou=ssn,dc=voltage,dc=com" sam

我明白了

 add_principal: Unsupported argument "dn=uid=sam,ou=ssn,dc=voltage,dc=com" for db2 while creating "[email protected]".

这意味着kadmin正试图将主体添加到db2而不是LDAP后端，对吧？

我也做了：

 sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees \ dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f \ /etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com

在将示例重命名为电压之后，两个命令都成功运行并显示新的REALM已创build

任何帮助表示赞赏

我得到相同的错误，直到我更新我的/etc/krb5.conf和/var/kerberos/krb5kdc/kdc.conf添加领域部分下的database_module并添加dbdefaults和dbmodules部分。我正在使用RHEL 6，下面是基于我的krb5.conf和kdc.conf的示例。

的/etc/krb5.conf

  [logging]
   默认= FILE：/var/log/krb5libs.log
    kdc = FILE：/var/log/krb5kdc.log
    admin_server = FILE：/var/log/kadmind.log

   [libdefaults]
    default_realm = VOLTAGE.COM
    dns_lookup_realm = false
    dns_lookup_kdc = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
   可转换= true

   [领域]
    VOLTAGE.COM = {
     kdc = server1.voltage.com
     admin_server = server1.voltage.com
     default_domain = voltage.com
     database_module = openldap_ldapconf
    }

   [domain_realm]
    .voltage.com = VOLTAGE.COM
    voltage.com = VOLTAGE.COM

   [的appdefaults]
    pam = {
      debug = false
      ticket_lifetime = 36000
      renew_lifetime = 36000
     可转换= true
      krb4_convert = false
    }

   [dbdefaults]
    ldap_kerberos_container_dn = dc =电压，dc = com

   [dbmodules]
    openldap_ldapconf = {
        db_library = kldap
        ldap_kdc_dn =“cn = admin，dc =电压，dc = com”
        ldap_kadmind_dn =“cn = admin，dc = voltage，dc = com”
        ldap_service_password_file = /var/kerberos/krb5kdc/service.keyfile
        ldap_servers = ldaps：//ldap.voltage.com 
        ldap_conns_per_server = 5
   }

/var/kerberos/krb5kdc/kdc.conf

   [kdcdefaults]
    kdc_ports = 88
    kdc_tcp_ports = 88

   [领域]
    VOLTAGE.COM = {
     database_module = openldap_ldapconf
     master_key_type = aes256-cts
     key_stash_file = /var/kerberos/krb5kdc/.k5.VOLTAGE.COM
     acl_file = /var/kerberos/krb5kdc/kadm5.acl
     dict_file = / usr / share / dict / words
     admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
     supported_enctypes = aes256-cts：normal aes128-cts：normal des3-hmac-sha1：normal arcfour-hmac：normal des-hmac-sha1：normal des-cbc-md5：normal des-cbc-crc：normal
    }

   [dbdefaults]
    ldap_kerberos_container_dn = dc =电压，dc = com

   [dbmodules]
    openldap_ldapconf = {
        db_library = kldap
        ldap_kdc_dn =“cn = admin，dc =电压，dc = com”
        ldap_kadmind_dn =“cn = admin，dc = voltage，dc = com”
        ldap_service_password_file = /var/kerberos/krb5kdc/service.keyfile
        ldap_servers = ldaps：//ldap.voltage.com
        ldap_conns_per_server = 5
 }

然后重新启动Kerberos服务器进程并添加您的用户原则。

希望有所帮助！

也许你在你的领域缺less“database_module = openldap_ldapconf”

 [realms] BEISPIEL.DE = { kdc = kdc01.beispiel.de kdc = kdc02.beispiel.de admin_server = kdc01.beispiel.de admin_server = kdc02.beispiel.de default_domain = beispiel.de database_module = openldap_ldapconf # MISSING!?!?!?! }