Am 19.10.2012 20:02, schrieb Mark Pröhl: > Hi, > > is there any difference in the output of the following two search requests? > > root@kdc # ldapsearch -Y EXTERNAL -H ldapi:// \ > -b ou=People,dc=uni-koeln,dc=de \ > > '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' > > > > root@kdc # ldapsearch -Y EXTERNAL -H ldapi:// \ > -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" \ > > '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' > > > Regards, > > Mark > > > Am 19.10.2012 16:05, schrieb Berthold Cogel: >> Hello! >> >> I've configured kerberos with an LDAP backend and I'm now trying to fill >> it with users. >> >> System: RHEL5 >> Kerberos: 1.6.1-70.el5 (MIT) >> LDAP: openldap-ltb-2.4.28-1.el5 >> >> Kerberos is talking to the local LDAP via LDAPI. >> >> The setup is working for all principals in the kerberos container. I can >> do a kinit an get a ticket... >> I also did an >> kdb5_ldap_util modify -D cn=... -r RRZ.UNI-KOELN.DE -subtrees >> ou=people,dc=uni-koeln,dc=de >> >> I did an ldapadd for some testusers followed by an addprinc for each >> testuser. A listprincs shows the principals of these testusers. >> >> But when I try to do a kinit I get this: >> >> kinit a0537 >> kinit(v5): Client not found in Kerberos database while getting initial >> credentials >> >> This happens for each principal in the ou=People. >> >> The ldapsearch with the first part of the krb5 request in the LDAP log >> shows this: >> >> ldapsearch -x -ZZ -H ldap://... -D cn=... -W >> "(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" >> >> scope=2 deref=0 >> Enter LDAP Password: >> # extended LDIF >> # >> # LDAPv3 >> # base <> with scope subtree >> # filter: >> (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) >> >> # requesting: scope=2 deref=0 >> # >> >> # a0537, People, uni-koeln.de >> dn: uid=a0537,ou=People,dc=uni-koeln,dc=de >> >> # search result >> search: 3 >> result: 0 Success >> >> # numResponses: 2 >> # numEntries: 1 >> >> >> So the principal is in the tree. The complete krb5 request in the LDAP >> log looks like this: >> >> >> slapd[9882]: conn=230710 fd=29 ACCEPT from PATH=/var/run/ldapi >> (PATH=/var/run/ldapi) >> slapd[9882]: conn=230710 op=0 BIND >> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" method=128 >> slapd[9882]: conn=230710 op=0 BIND >> dn="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" mech=SIMPLE ssf=0 >> slapd[9882]: conn=230710 op=0 RESULT tag=97 err=0 text= >> slapd[9882]: conn=230710 op=1 SRCH base="ou=People,dc=uni-koeln,dc=de" >> scope=2 deref=0 >> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" >> >> >> slapd[9882]: conn=230710 op=1 SRCH attr=krbprincipalname objectclass >> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags >> krbprincipalexpiration krbticketpolicyreference krbUpEnabled >> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth >> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock >> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange >> krbExtraData krbObjectReferences >> slapd[9882]: conn=230710 op=1 SEARCH RESULT tag=101 err=0 nentries=0 >> text= >> slapd[9882]: conn=230710 op=2 SRCH >> base="cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de" scope=2 >> deref=0 >> filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))" >> >> >> slapd[9882]: conn=230710 op=2 SRCH attr=krbprincipalname objectclass >> krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags >> krbprincipalexpiration krbticketpolicyreference krbUpEnabled >> krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth >> krbLoginFailedCount krbLastSuccessfulAuth nsaccountlock >> loginexpirationtime logindisabled modifytimestamp krbLastPwdChange >> krbExtraData krbObjectReferences >> >> >> I don't understand what is happening. And I don't know, where to look. >> >> >> Regards >> >> Berthold Cogel >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> > >
What I get is this: ldapsearch -Y EXTERNAL -H ldapi:// -b ou=People,dc=uni-koeln,dc=de '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <ou=People,dc=uni-koeln,dc=de> with scope subtree # filter: (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) # requesting: ALL # # search result search: 2 result: 0 Success ldapsearch -Y EXTERNAL -H ldapi:// -b cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de '(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected]))' SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=RRZ.UNI-KOELN.DE,ou=Kerberos,dc=uni-koeln,dc=de> with scope subtree # filter: (&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))([email protected])) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 Regards Berthold ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
