On Saturday 28 January 2012 00:19:38 Ken Moffat wrote:
> I think the people here who care about heimdal can probably be
> counted on the figures of one hand, with fingers to spare.
I switched to MIT kerberos 2004. BUT recently I started a project which
relied on a kerberos/openldap setup and quickly ran up against these
issues:-
a) the legal status of kerberos.schema available; is it a proprietary
offering of novel of what?
b) I could not get my krb5/openldap setup to work nor could I solicit help
from the krb5 mailing list. I sent this email to the krb5 mailing list
################################
{{{{{{{{{{
Greetings,
I am new to this list. I am attempting to implement kerberos with an
openldap database back end. My computer has these:-
--cpu: amd64, 2 Gbytes RAM
--OS pure 64-bit cblfs linux kernel 3.2.1, gcc-4.5.2 openldap-2.4.23 and
MIT-kerberos-1.8.1 compiled from soure-code
I read thogh the krb5 documentation (bundled with the source code). I need
to create two service-objects called kdc-service and adm-service using the
krb5_ldap-util binary. I am unable to do so following the instructions in the
krb5 documentation.
I tried this first:-
/usr/local/sbin/kdb5_ldap_util \
-D cn=admin,dc=mydomain,dc=com \
-H ldap://myhost.mydomain.com \
-create_service -kdc \
-servicehost myhost.mydomain.com:otherhost2.mydomain.com \
-service_dn cn=kdc-service,dc=mydomain,dc=com
with a view to doing this:-
/usr/local/sbin/kdb5_ldap_util setsrvpw \
-D cn=admin,dc=mydomain,dc=com \
-H ldap://myhost.mydomain.com setsrvpw \
-f /etc/servicePW \
-service_dn cn=kdc-service,dc=mydomain,dc=com
( i.e to set a password thereafter ). However the response was this:-
#---------------------------
Usage: kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]
cmd [cmd_options]
create [-subtrees subtree_dn_list] [-sscope search_scope] [-
containerref container_reference_dn]
[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO]
[-s]
[-maxtktlife max_ticket_life] [-maxrenewlife
max_renewable_ticket_life]
[ticket_flags] [-r realm]
modify [-subtrees subtree_dn_list] [-sscope search_scope] [-
containerref container_reference_dn]
[-maxtktlife max_ticket_life] [-maxrenewlife
max_renewable_ticket_life]
[ticket_flags] [-r realm]
view [-r realm]
destroy [-f] [-r realm]
list
stashsrvpw [-f filename] service_dn
create_policy [-r realm] [-maxtktlife max_ticket_life]
[-maxrenewlife max_renewable_ticket_life] [ticket_flags]
policy
modify_policy [-r realm] [-maxtktlife max_ticket_life]
[-maxrenewlife max_renewable_ticket_life] [ticket_flags]
policy
view_policy [-r realm] policy
destroy_policy [-r realm] [-force] policy
list_policy [-r realm]
#----------------------
in otherwords /usr/local/sbin/kdb5_ldap_util ..... -create_service
does not appear to exist or be working for me.
I then copied the unmodified command as in the krb5 dosumentatiion (bundled
with the source code) namely:-
/usr/local/sbin/kdb5_ldap_util \
-D cn=admin,dc=mydomain,dc=com \
-H ldap://myhost.mydomain.com create_service \
-kdc -randpw -f /etc/servicePW cn=kdc-service,dc=mydomain,dc=com
but the result was the same.
--------------
I do not know if this is due to something missing in how either krb5-1.8.1
and/or openldap-2.4.23 were compiled or otherwise. Accordingly advice would
be much appreciated.}}}}}}}}}}
################################
I received no response. I concluded that (create service etc are tied to
novells proprietaty edirectory as it seems is the available
"kerberos.schema"
After serveral tries and reconfigiations of so-called realm containers I
came to the conclusion the problem was the novell-copywrited
'kerberos.schema" available on the internet and I do not have the facility to
write my own. All the ubuntu-howtos on openldap-krb5 have some giggery-
pokery way of handling THE 'kerberos schema'. I downloaded a deb (twice)
and use the ar facility to open it and lo and behold there was no kerberos
schema in ~/usr/share/~
I stumbled my way across several openldap/krb5 configs now without service
objects and using the krb5_ldap_util to create the realm. But kadmin.local
refused to start and there were no reports of errors in
/var/log/{syslog,messages} or/ var/log/auth.log or /var/log/krb5/~
THATS WHY I decided to give heimdal a whirl because it offered a decent way
to integrate the database with ldap and the kdc.schema does not seem to be
copywrited to a commercial organisation nor is a piece (such as create-
service in krb5 linked exclusively to a commercil organisation's proprietary
program )
---------
If anyone on list know of a way to use the kdc.schema and integrate
MIT_krb5 with an ldap database using krb5_ldap_util I would be grateful for
advice.
sincerely
luxInteg.
--
http://linuxfromscratch.org/mailman/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
