Friday, July 20, 2012

Mapping Kerberos principal to existing eDirectory user

To create kerberos principal for existing eDirectory user, we need to export the user data from ldap using the tool from This tool should be executed using ldap user which has permission to see universal password.


java -jar DumpPasswordInformation.jar -h -Z SSL -p 636 -D cn=admin,o=novell -w adminpassword -dvAL -b "ou=people,o=novell"

The tool will create output in the file dumppasswordinformation.ldif.
The following script will read from above ldif file and map the existing user with the kerberos principal. This script uses keytab from admin/admin kerberos principal with filename admin.keytab

#!/usr/bin/awk -f
/^dn:/ { dn = $2 ; split($0,cn," cn=") ; split(cn[2],id,",ou=") }
/^userpassword:/ {
up = $2 ;
cmd = sprintf("kadmin -p admin/admin -kt admin.keytab -q 'addprinc -x dn=%s -pw %s %s'\n\n",dn,up,id[1]) ;

sample usage: ./awksh dumppasswordinformation.ldif

No comments: