Hello, You can add the principals under the users cn this is possible too. You just need to specify the dn of the user, while adding it. For GSSAPI I use the olcAuthzRegexp to transfer to the ldap objects. My userPassword attribute looks like: {SASL}username@REALM.
-Thorsten Von meinem iPhone gesendet > Am 08.11.2016 um 13:34 schrieb Dr. Lars Hanke <deb...@lhanke.de>: > > ldap_kerberos_container_dn = cn=KERBEROS,dc=microsult,dc=de made it > succeed.This is however not mentioned in the HOWTO.From the documentation of > -subtree I thought that the Principals would somehow be stored with the User > and Machine entries, i.e. not in a seperate tree. So the idea for GSSAPI > binding of users or machines will be to use authz? > > Thanks for the help, > - lars. > >> Am 08.11.2016 um 08:58 schrieb t Seeger: >> Hello, >> >> did you create the /etc/krb5kdc/kdc.conf file? The Kerberos Containern dn is >> setup there (ldap_kerberos_container_dn). And you need to use 'cn' for the >> container this change some versions ago. >> >> >> [dbmodules] >> LDAP = { >> db_library = kldap >> ldap_kerberos_container_dn = cn=KERBEROS,dc=microsult,dc=de >> .... >> } >> >> - Thorsten >> >> Von meinem iPhone gesendet >> >>>> Am 07.11.2016 um 17:14 schrieb Dr. Lars Hanke <deb...@lhanke.de>: >>>> >>>> Am 07.11.2016 um 15:06 schrieb Todd Grayson: >>>> From that error message you need to provide the schema file for the >>>> kerebros ldap objects to your directory instance. Can we assume you >>>> followed top down the instructions from here? >>>> >>>> https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html >>> Yes, this is my main source. It seems I have the schema on my LDAP: >>> >>> ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=schema,cn=config' 'dn' >>> SASL/EXTERNAL authentication started >>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth >>> SASL SSF: 0 >>> # extended LDIF >>> # >>> # LDAPv3 >>> # base <cn=schema,cn=config> with scope subtree >>> # filter: (objectclass=*) >>> # requesting: dn >>> # >>> >>> # schema, config >>> dn: cn=schema,cn=config >>> >>> # {0}core, schema, config >>> dn: cn={0}core,cn=schema,cn=config >>> >>> # {1}cosine, schema, config >>> dn: cn={1}cosine,cn=schema,cn=config >>> >>> # {2}nis, schema, config >>> dn: cn={2}nis,cn=schema,cn=config >>> >>> # {3}inetorgperson, schema, config >>> dn: cn={3}inetorgperson,cn=schema,cn=config >>> >>> # {4}samba, schema, config >>> dn: cn={4}samba,cn=schema,cn=config >>> >>> # {5}kerberos, schema, config >>> dn: cn={5}kerberos,cn=schema,cn=config >>> >>> # search result >>> search: 2 >>> result: 0 Success >>> >>> # numResponses: 8 >>> # numEntries: 7 >>> >>> I admit that I did not understand why in that Howto many more schemas >>> were included to produce the LDIF for the Kerberos schema, but at least >>> OpenLDAP did accept it. >>> >>> Thanks, >>> - lars. >>>> >>>> >>>> On Sat, Nov 5, 2016 at 3:03 PM, Dr. Lars Hanke <deb...@lhanke.de >>>> <mailto:deb...@lhanke.de>> wrote: >>>> >>>> I'm currently setting up a new KDC for a new domain. I also have a >>>> shiny >>>> new LDAP. I want Kerberos to use LDAP as backend. LDAP connectivity is >>>> fine, there is no specific data in it yet. >>>> >>>> Trying to create the Kerberos container, I get the following error: >>>> >>>> kdb5_ldap_util -D cn=admin,dc=microsult,dc=de create -subtrees >>>> dc=microsult,dc=de -r UAC.MICROSULT.DE <http://UAC.MICROSULT.DE> >>>> -s -H ldap:/// >>>> Password for "cn=admin,dc=microsult,dc=de": >>>> Initializing database for realm 'UAC.MICROSULT.DE >>>> <http://UAC.MICROSULT.DE>' >>>> You will be prompted for the database Master Password. >>>> It is important that you NOT FORGET this password. >>>> Enter KDC database master key: >>>> Re-enter KDC database master key to verify: >>>> kdb5_ldap_util: Kerberos Container create FAILED: Object class >>>> violation >>>> while creating realm 'UAC.MICROSULT.DE <http://UAC.MICROSULT.DE>' >>>> >>>> I read somewhere that this may be due to the kerberos container not >>>> being a CN attribute. Actually I see in the debug trace of >>>> OpenLDAP that >>>> it denies dc=microsult,dc=de since it's not a CN. >>>> >>>> Am I supposed to create a CN node under my TLD and use this? I don't >>>> quite understand how the final layout in LDAP is supposed to be >>>> and how >>>> to put that into arguments for kdb5_ldap_util. >>>> >>>> Any closer explanation is appreciated. Thanks for your help, >>>> >>>> - lars. >>>> >>>> >>>> ________________________________________________ >>>> Kerberos mailing list Kerberos@mit.edu <mailto:Kerberos@mit.edu> >>>> https://mailman.mit.edu/mailman/listinfo/kerberos >>>> <https://mailman.mit.edu/mailman/listinfo/kerberos> >>>> >>>> >>>> >>>> >>>> -- >>>> Todd Grayson >>>> Business Operations Manager >>>> Customer Operations Engineering >>>> Security SME >>>> >>> ________________________________________________ >>> Kerberos mailing list Kerberos@mit.edu >>> https://mailman.mit.edu/mailman/listinfo/kerberos > > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos