Am 21.10.2012 00:21, schrieb Berthold Cogel: > Am 19.10.2012 20:02, schrieb Mark Pröhl: >> Hi, >> >> is there any difference in the output of the following two search requests? >> >> root@kdc # ldapsearch -Y EXTERNAL -H ldapi:// \ >> -b ou=People,dc=uni-koeln,dc=de \ >> >> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' >> >> >> >> root@kdc # ldapsearch -Y EXTERNAL -H ldapi:// \ >> -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" \ >> >> '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' >> >> >> Regards, >> >> Mark >> >> >> Am 19.10.2012 16:05, schrieb Berthold Cogel: >>> Hello! >>> >>> I've configured kerberos with an LDAP backend and I'm now trying to fill >>> it with users. >>> >>> System: RHEL5 >>> Kerberos: 1.6.1-70.el5 (MIT) >>> LDAP: openldap-ltb-2.4.28-1.el5 >>> >>> Kerberos is talking to the local LDAP via LDAPI. >>> >>> The setup is working for all principals in the kerberos container. I can >>> do a kinit an get a ticket... >>> I also did an >>> kdb5_ldap_util modify -D cn=... -r RRZ.UNI-KOELN.DE -subtrees >>> ou=people,dc=uni-koeln,dc=de >>> >>> I did an ldapadd for some testusers followed by an addprinc for each >>> testuser. A listprincs shows the principals of these testusers. >>> >>> But when I try to do a kinit I get this: >>> >>> kinit a0537 >>> kinit(v5): Client not found in Kerberos database while getting initial >>> credentials >>> >>> This happens for each principal in the ou=People. >>> >>> The ldapsearch with the first part of the krb5 request in the LDAP log >>> shows this: >>> >>> ldapsearch -x -ZZ -H ldap://... -D cn=... -W >>> "(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" >>> >>> scope=2 deref=0 >>> Enter LDAP Password: >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <> with scope subtree >>> # filter: >>> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) >>> >>> # requesting: scope=2 deref=0 >>> # >>> >>> # a0537, People, uni-koeln.de >>> dn: uid=a0537,ou=People,dc=uni-koeln,dc=de >>> >>> # search result >>> search: 3 >>> result: 0 Success >>> >>> # numResponses: 2 >>> # numEntries: 1 >>> >>> >>> So the principal is in the tree. The complete krb5 request in the LDAP >>> log looks like this: >>> >>> >>> slapd[9882]: conn=230710 fd=29 ACCEPT from PATH=/var/run/ldapi >>> (PATH=/var/run/ldapi) >>> slapd[9882]: conn=230710 op=0 BIND >>> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" method=128 >>> slapd[9882]: conn=230710 op=0 BIND >>> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" mech=SIMPLE ssf=0 >>> slapd[9882]: conn=230710 op=0 RESULT tag=97 err=0 text= >>> slapd[9882]: conn=230710 op=1 SRCH base="ou=People,dc=uni-koeln,dc=de" >>> scope=2 deref=0 >>> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" >>> >>> >>> slapd[9882]: conn=230710 op=1 SRCH attr=krbprincipalname objectclass >>> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags >>> krbprincipalexpiration krbticketpolicyreference krbUpEnabled >>> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth >>> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock >>> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange >>> krbExtraData krbObjectReferences >>> slapd[9882]: conn=230710 op=1 SEARCH RESULT tag=101 err=0 nentries=0 >>> text= >>> slapd[9882]: conn=230710 op=2 SRCH >>> base="cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" scope=2 >>> deref=0 >>> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" >>> >>> >>> slapd[9882]: conn=230710 op=2 SRCH attr=krbprincipalname objectclass >>> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags >>> krbprincipalexpiration krbticketpolicyreference krbUpEnabled >>> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth >>> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock >>> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange >>> krbExtraData krbObjectReferences >>> >>> >>> I don't understand what is happening. And I don't know, where to look. >>> >>> >>> Regards >>> >>> Berthold Cogel >>> ________________________________________________ >>> Kerberos mailing list [email protected] >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >> >> > > What I get is this: > > > ldapsearch -Y EXTERNAL -H ldapi:// -b ou=People,dc=uni-koeln,dc=de > '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > # extended LDIF > # > # LDAPv3 > # base <ou=People,dc=uni-koeln,dc=de> with scope subtree > # filter: > (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) > # requesting: ALL > # > > # search result > search: 2 > result: 0 Success > > > > > ldapsearch -Y EXTERNAL -H ldapi:// -b > cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de > '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > # extended LDIF > # > # LDAPv3 > # base <cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de> with scope > subtree > # filter: > (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) > # requesting: ALL > # > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 > > > Regards > > Berthold >
sorry, i missed that MIT is not using SASL/EXTERNAL. Please try again with root@kdc # ldapsearch -x -D <BIND_DN> -W -H ldapi:// -b ou=People,dc=uni-koeln,dc=de '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=<USER_1>@RRZ.UNI-KOELN.DE))' root@kdc # ldapsearch -x -D <BIND_DN> -W -H ldapi:// -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=<USER_2>@RRZ.UNI-KOELN.DE))' - Replace <BIND_DN> by the value of ldap_kdc_dn from your kdc.conf (or krb5.conf) - Replace <USER_1> by a kerberos principal entry that is stored below ou=People - Replace <USER_2> by a kerberos principal entry that is stored below cn=RRZ.UNI KOELN.DE,ou=Kerberos Do these LDAP searches result in different attribute sets? Regards, Mark Pröhl ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
