krb5 / ldap：域名与目录命名上下文匹配

名称根本不必匹配。你只需要获得正确的权限。

这是此概念的一个有效示例，但并不理想：

$ ldapsearch -Q -LLL -h ldap1.example.com -b cn=krbcontainer -s one objectclass @krbRealmContainer
dn: cn=EXAMPLE.COM,cn=krbContainer
cn: EXAMPLE.COM
objectClass: top
objectClass: krbRealmContainer
objectClass: krbTicketPolicyAux
krbSubTrees: ou=people,dc=example,dc=com

dn: cn=kadmin-service,cn=krbContainer
objectClass: krbKdcService
objectClass: simpleSecurityObject
cn: kadmin-service

dn: cn=kdc-service,cn=krbContainer
objectClass: krbKdcService
objectClass: simpleSecurityObject
cn: kdc-service



ldap1 ~ # cat /etc/krb5.conf
#krb5.conf
[libdefaults]

[realms]
EXMAPLE.COM = {
        admin_server = ldap1.example.com
        kdc = ldap1.example.com
        database_module = openldap_ldapconf
}

[logging]
kdc = SYSLOG:INFO:AUTH
admin_server = SYSLOG:INFO:AUTH

[dbdefaults]
ldap_kerberos_container_dn = cn=krbContainer

[dbmodules]
openldap_ldapconf = {
        db_library = ldap
        ldap_kerberos_container_dn = cn=krbContainer
        ldap_kdc_dn = "cn=kdc-service,cn=krbContainer"
        # this object needs to have read rights on
        # the realm container and principal subtrees
        ldap_kadmind_dn = "cn=kadmin-service,cn=krbContainer"
        # this object needs to have read and write rights on
        # the realm container and principal subtrees
        ldap_service_password_file = /etc/krb5kdc.keyfile
        ldap_servers = ldapi:///
        ldap_conns_per_server = 5
}