ipa-kdb: Change install to use the new ipa-kdb kdc backend

Use ipakdb instead of kldap and change install procedures accordingly Note that we do not need to store the master key in a keytab as we can read it off of ldap in our driver.
2025-02-25 18:55:28 -06:00 · 2011-06-08 17:21:23 -04:00
parent 35e15f6c91
commit 195a65d5c2
8 changed files with 60 additions and 166 deletions
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -13,8 +13,6 @@ app_DATA =				\
 	caJarSigningCert.cfg.template	\
 	default-aci.ldif		\
 	default-hbac.ldif		\
-	default-keytypes.ldif		\
-	default-pwpolicy.ldif		\
 	delegation.ldif			\
 	replica-acis.ldif		\
 	ds-nfiles.ldif			\
--- a/install/share/default-keytypes.ldif
+++ b/install/share/default-keytypes.ldif
@@ -1,33 +0,0 @@
-#kerberos keytypes
-dn: cn=$REALM,cn=kerberos,$SUFFIX
-changetype: modify
-add: krbSupportedEncSaltTypes
-krbSupportedEncSaltTypes: aes256-cts:normal
-krbSupportedEncSaltTypes: aes256-cts:special
-krbSupportedEncSaltTypes: aes128-cts:normal
-krbSupportedEncSaltTypes: aes128-cts:special
-krbSupportedEncSaltTypes: des3-hmac-sha1:normal
-krbSupportedEncSaltTypes: des3-hmac-sha1:special
-krbSupportedEncSaltTypes: arcfour-hmac:normal
-krbSupportedEncSaltTypes: arcfour-hmac:special
-krbSupportedEncSaltTypes: des-hmac-sha1:normal
-krbSupportedEncSaltTypes: des-cbc-md5:normal
-krbSupportedEncSaltTypes: des-cbc-crc:normal
-krbSupportedEncSaltTypes: des-cbc-crc:v4
-krbSupportedEncSaltTypes: des-cbc-crc:afs3
-
-add: krbMaxTicketLife
-krbMaxTicketLife: 86400
-
-add: krbMaxRenewableAge
-krbMaxRenewableAge: 604800
-
-#kerberos keytypes
-dn: cn=$REALM,cn=kerberos,$SUFFIX
-changetype: modify
-add: krbDefaultEncSaltTypes
-krbDefaultEncSaltTypes: aes256-cts:special
-krbDefaultEncSaltTypes: aes128-cts:special
-krbDefaultEncSaltTypes: des3-hmac-sha1:special
-krbDefaultEncSaltTypes: arcfour-hmac:special
-
--- a/install/share/default-pwpolicy.ldif
+++ b/install/share/default-pwpolicy.ldif
@@ -1,14 +0,0 @@
-dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
-changetype: add
-objectClass: top
-objectClass: nsContainer
-objectClass: krbPwdPolicy
-krbMinPwdLife: 3600
-krbPwdMinDiffChars: 0
-krbPwdMinLength: 8
-krbPwdHistoryLength: 0
-krbMaxPwdLife: 7776000
-krbPwdMaxFailure: 6
-krbPwdFailureCountInterval: 60
-krbPwdLockoutDuration: 600
-
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -6,7 +6,6 @@
 [realms]
 $REALM = {
  master_key_type = aes256-cts
-  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
  max_life = 7d
  max_renewable_life = 14d
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
--- a/install/share/kerberos.ldif
+++ b/install/share/kerberos.ldif
@@ -16,3 +16,42 @@ objectClass: top
 cn: kerberos
 aci: (targetattr="*")(version 3.0; acl "KDC System Account"; allow (all) userdn= "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)

+#Realm base object
+dn: cn=$REALM,cn=kerberos,$SUFFIX
+changetype: add
+cn: $REALM
+objectClass: top
+objectClass: krbrealmcontainer
+objectClass: krbticketpolicyaux
+krbSubTrees: $SUFFIX
+krbSearchScope: 2
+krbSupportedEncSaltTypes: aes256-cts:normal
+krbSupportedEncSaltTypes: aes256-cts:special
+krbSupportedEncSaltTypes: aes128-cts:normal
+krbSupportedEncSaltTypes: aes128-cts:special
+krbSupportedEncSaltTypes: des3-hmac-sha1:normal
+krbSupportedEncSaltTypes: des3-hmac-sha1:special
+krbSupportedEncSaltTypes: arcfour-hmac:normal
+krbSupportedEncSaltTypes: arcfour-hmac:special
+krbMaxTicketLife: 86400
+krbMaxRenewableAge: 604800
+krbDefaultEncSaltTypes: aes256-cts:special
+krbDefaultEncSaltTypes: aes128-cts:special
+krbDefaultEncSaltTypes: des3-hmac-sha1:special
+krbDefaultEncSaltTypes: arcfour-hmac:special
+
+# Default password Policy
+dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
+changetype: add
+objectClass: top
+objectClass: nsContainer
+objectClass: krbPwdPolicy
+krbMinPwdLife: 3600
+krbPwdMinDiffChars: 0
+krbPwdMinLength: 8
+krbPwdHistoryLength: 0
+krbMaxPwdLife: 7776000
+krbPwdMaxFailure: 6
+krbPwdFailureCountInterval: 60
+krbPwdLockoutDuration: 600
+
--- a/install/share/krb5.conf.template
+++ b/install/share/krb5.conf.template
@@ -31,11 +31,6 @@

 [dbmodules]
  $REALM = {
-    db_library = kldap
-    ldap_servers = ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket
-    ldap_kerberos_container_dn = cn=kerberos,$SUFFIX
-    ldap_kdc_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
-    ldap_kadmind_dn = uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX
-    ldap_service_password_file = /var/kerberos/krb5kdc/ldappwd
+    db_library = ipadb.so
  }