Import the trusted root certificate from eDirectory using the following command:
kdb5_util [-h ldap_server] [-p ssl_port] import_cert -f filename
For example,
kdb5_util -h kerberos.mit.edu -p 636 import_cert -f /opt/novell/kerberos/trustedroot.der
NOTE: The kdb5_util utility is present in the /opt/novell/kerberos/sbin directory.
Extend the eDirectory schema by extending the untarred_path/ NovellKerberosKDC/setup/kerberos.ldif file as follows:
/opt/novell/kerberos/bin/ldapmodify -D admin_dn -W -h server -p port -f untarred_path/NovellKerberosKDC/setup/kerberos.ldif -e trusted_root_certificate -c
For example,
/opt/novell/kerberos/bin/ldapmodify -D cn=admin,o=mit -W -h kerberos.mit.edu -p 636 -f untarred_path/NovellKerberosKDC/setup/kerberos.ldif -e /opt/novell/kerberos/trustedroot.der -c
You can also extend the schema through Novell iManager as follows:
Configure Kerberos LDAP extensions on the eDirectory server.
Ensure that the Kerberos LDAP extensions are installed on the machine where eDirectory is installed.
The kdc-install utility installs libkrbpwd.so in /usr/lib/nds-modules.
In eDirectory 8.8, Directory Host modules are located at /opt/novell/eDirectory/lib/nds-modules, therefore, you need to complete these additional steps for eDirectory 8.8:
Add the Kerberos LDAP extensions to eDirectory as follows:
kdb5_util [-D user_dn [-w passwd]] [-h ldap_server] [-p ldap_port] [-t trusted_cert] ldapxtn_info -add|-clear
For example:
kdb5_util -D cn=admin,o=mit -w novell -h kerberos.mit.edu -t /opt/novell/kerberos/trustedroot.der ldapxtn_info -add
Ensure that you run this command on the machine where KDC is installed.
Restart nldap.
To restart nldap, you need to first unload and then load nldap.
On eDirectory 8.7.3:
Configure Kerberos Password Agent on the eDirectory server:
NOTE: You need to configure the Kerberos Password Agent if you want to integrate universal password with Novell Kerberos KDC.
Ensure that the Kerberos Password Agent is installed on the machine where eDirectory is installed.
The kdc-install utility installs the libkpa.so in /usr/lib/nds-modules.
In eDirectory 8.8, Directory Host modules are located at /opt/novell/eDirectory/lib/nds-modules, therefore, you need to complete these additional steps for eDirectory 8.8:
Start the Kerberos Password Agent as follows:
/opt/novell/kerberos/sbin/kpa -l