Hi there I am trying to install a KDC (kerberos) with an OpenLDAP backend, following instructions found on the MIT kerberos site. Installation went fine and I can see that the default principals have been created (kadmin, krbtgt & so on...).
However, I cannot add new principals : kadmin.local -q "addprinc -pw password root" Authenticating as principal root/[email protected] with password. WARNING: no policy specified for [email protected]; defaulting to no policy *add_principal: Principal add failed: Insufficient access while creating "[email protected] <[email protected]>".* Digging a bit further, I could see the following with wireshark (after binding to the Directory as kadmin) : 147 21.719670222 127.0.0.1 127.0.0.1 LDAP 1028 addRequest(7) "[email protected],cn=JAKOBI.FR,cn=kerberos,dc=jakobi,dc=fr" 148 21.720138441 127.0.0.1 127.0.0.1 LDAP 107 addResponse(7) *insufficientAccessRights (no write access to parent) * My LDAP ACLs are as follows : {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=jakobi,dc=fr" write by anonymous auth by self write by * none {1}to dn.base="" by * read {2}to * by dn="cn=admin,dc=jakobi,dc=fr" write by * read {3}to dn.subtree="cn=JAKOBI.FR,cn=kerberos,dc=jakobi,dc=fr" by dn.exact="cn=kdc,ou=People,dc=jakobi,dc=fr" read * {4}to dn.subtree="cn=kerberos,dc=jakobi,dc=fr" by dn.exact="cn=kadmin,ou=People,dc=jakobi,dc=fr" write* if ACL #4 refers to *dn.subtree="**cn=JAKOBI.FR <http://JAKOBI.FR>,cn=kerberos,dc=jakobi,dc=fr"* (shouldn'it be the parent of the target principal?), result is the same. As far as I understand, rule #4 should allow me to to write within the realm subtree... Can someone enlighten me ? Thanks in adv. -- *Pascal*
