Friday, July 20, 2012

Mapping Kerberos principal to existing eDirectory user


To create kerberos principal for existing eDirectory user, we need to export the user data from ldap using the tool from http://ldapwiki.willeke.com/wiki/DumpEdirectoryPasswordInformationTool. This tool should be executed using ldap user which has permission to see universal password.

Example:

java -jar DumpPasswordInformation.jar -h ldap.company.com -Z SSL -p 636 -D cn=admin,o=novell -w adminpassword -dvAL -b "ou=people,o=novell"

The tool will create output in the file dumppasswordinformation.ldif.
The following script will read from above ldif file and map the existing user with the kerberos principal. This script uses keytab from admin/admin kerberos principal with filename admin.keytab


awksh:
#!/usr/bin/awk -f
/^dn:/ { dn = $2 ; split($0,cn," cn=") ; split(cn[2],id,",ou=") }
/^userpassword:/ {
up = $2 ;
cmd = sprintf("kadmin -p admin/admin -kt admin.keytab -q 'addprinc -x dn=%s -pw %s %s'\n\n",dn,up,id[1]) ;
system(cmd)
}

sample usage: ./awksh dumppasswordinformation.ldif


No comments: