Hi, is there any difference in the output of the following two search requests?
root@kdc # ldapsearch -Y EXTERNAL -H ldapi:// \ -b ou=People,dc=uni-koeln,dc=de \ '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' root@kdc # ldapsearch -Y EXTERNAL -H ldapi:// \ -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" \ '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' Regards, Mark Am 19.10.2012 16:05, schrieb Berthold Cogel: > Hello! > > I've configured kerberos with an LDAP backend and I'm now trying to fill > it with users. > > System: RHEL5 > Kerberos: 1.6.1-70.el5 (MIT) > LDAP: openldap-ltb-2.4.28-1.el5 > > Kerberos is talking to the local LDAP via LDAPI. > > The setup is working for all principals in the kerberos container. I can > do a kinit an get a ticket... > I also did an > kdb5_ldap_util modify -D cn=... -r RRZ.UNI-KOELN.DE -subtrees > ou=people,dc=uni-koeln,dc=de > > I did an ldapadd for some testusers followed by an addprinc for each > testuser. A listprincs shows the principals of these testusers. > > But when I try to do a kinit I get this: > > kinit a0537 > kinit(v5): Client not found in Kerberos database while getting initial > credentials > > This happens for each principal in the ou=People. > > The ldapsearch with the first part of the krb5 request in the LDAP log > shows this: > > ldapsearch -x -ZZ -H ldap://... -D cn=... -W > "(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" > scope=2 deref=0 > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <> with scope subtree > # filter: > (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) > # requesting: scope=2 deref=0 > # > > # a0537, People, uni-koeln.de > dn: uid=a0537,ou=People,dc=uni-koeln,dc=de > > # search result > search: 3 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > > So the principal is in the tree. The complete krb5 request in the LDAP > log looks like this: > > > slapd[9882]: conn=230710 fd=29 ACCEPT from PATH=/var/run/ldapi > (PATH=/var/run/ldapi) > slapd[9882]: conn=230710 op=0 BIND > dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" method=128 > slapd[9882]: conn=230710 op=0 BIND > dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" mech=SIMPLE ssf=0 > slapd[9882]: conn=230710 op=0 RESULT tag=97 err=0 text= > slapd[9882]: conn=230710 op=1 SRCH base="ou=People,dc=uni-koeln,dc=de" > scope=2 deref=0 > filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" > > slapd[9882]: conn=230710 op=1 SRCH attr=krbprincipalname objectclass > krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags > krbprincipalexpiration krbticketpolicyreference krbUpEnabled > krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth > krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock > loginexpirationtime logindisabled modifytimestamp krbLastPwdChange > krbExtraData krbObjectReferences > slapd[9882]: conn=230710 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= > slapd[9882]: conn=230710 op=2 SRCH > base="cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" scope=2 > deref=0 > filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" > > slapd[9882]: conn=230710 op=2 SRCH attr=krbprincipalname objectclass > krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags > krbprincipalexpiration krbticketpolicyreference krbUpEnabled > krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth > krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock > loginexpirationtime logindisabled modifytimestamp krbLastPwdChange > krbExtraData krbObjectReferences > > > I don't understand what is happening. And I don't know, where to look. > > > Regards > > Berthold Cogel > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > -- Mark Pröhl [email protected] www.kerberos-buch.de ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
