[KLUG Members] book suggestions for openldap

[Adam Tauno Williams]

> > If you try to go into LDAP via a "cookbook" your steaming down a blind
> > alley, IMHO.  It is really best if you take some time to understand
> > the directory oriented approach.  Obviously this is true of anything,
> > but LDAP especially, and more so.
> May I note that without some recipes, almost all Linux programs would go
> unused.
> I'm working with the padl.com migration scripts and have hit a rather
> large snag: krbName is not defined in /etc/ldap/schema/krb5-kdc.schema,
> but the padl.com scripts expect it to be there. Adam: what do I use
> instead of krbName: krb5PrincipalName or krb5Principal? I think it's the
> first.

krbName is defined in core.schema  Just abuot every DSA in the world should know
about it.  If yours doesn't I'd suspect a packaging problem.

attributetype ( 1.3.6.1.4.1.250.1.32
        NAME ( 'krbName' 'kerberosName' )
        DESC 'Kerberos Name'
        EQUALITY caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
        SINGLE-VALUE )

You can just remove

        if ($DEFAULT_REALM) {
                print $HANDLE "krbName: $user\@$DEFAULT_REALM\n";
        }

from migrate_passwd.pl if your not using Kerberos, since then krbName won't do
you any good anyway.  It is broken behaviour that the scripts ASSUME you are
using Kerberos if you have enabled the extended schema information (in
migrate_common.ph).

> And may I say what a massive thrill it is to use the online migration
> script only to have it fail on the slightest error? The offline attempt
> ended in failure when my slapd database dared to have
> "dn: dc=killdevil,dc=org" defined.

I won't argue that the scripts are starting to show their age (and
maintainerlessness).