On 02/03/2015 10:00 PM, Paul B. Henson wrote: > Hmm, that's a bummer, I was just about to avail of rename_principal > functionality with an LDAP backend as part of a realm rename we have coming > up :(. I was planning to rename everything and then rename it back in order > to hardcode the correct salt before changing the realm name and avoid having > to reset passwords. Given this bug, I guess I would have to dump the > database, load it into bdb, do the renames, dump it again, and then load it > back into ldap?
It seems so. > Can you think of any easier way to store the correct salt with a principal > before a realm rename? For a one-off, you could write a C program which gets a principal entry, fixes up the salt, and puts it back without changing the name. You could use the code for kadm5_rename_principal() in svr_principal.c as a template. (Make sure to also set entry.mask = KADM5_KEY_DATA or the LDAP put_principal function will ignore the changed key data.) ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
