[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: init REALM with backend ldap




[cross-posting to openldap-software]

Looks like OpenLDAP 2.1 requires that a bind is performed before
any modifications are. Looks like the Heimdal backend will need
to be modified to perform a bind first.

I suggest you perform a bind as the naming context with no
password. There's no point storing credentials for talking over
ldapi:// (false sense of security) but you will need to configure
slapd to allow such binds.

-- Luke

>From: Ralf Grabow <heimdal@systron.de>
>Subject: init REALM with backend ldap
>To: "heimdal-discuss@sics.se" <heimdal-discuss@sics.se>
>Date: Wed, 19 Jun 2002 11:15:04 +0000
>
>Hello list.
> 
>Something changed or I forgot something or I have a documentation gap.
> 
>parts:
>linux-2.4.18
>cyrus-sasl-2.1.4
>heimdal-0.4e
>krb4-1.1.1
>openldap-2.1.2
> 
>slapd.conf:
>...
>access to *
>        by sockurl="^ldapi:///$" write
>        by * write
>...
> 
># /usr/heimdal/sbin/kadmin -l init RZ
>Realm max ticket life [unlimited]:
>Realm max renewable ticket life [unlimited]:
>kadmin: kadm5_create_principal: ldap_add_s: Operations error
> 
> 
>log:
>daemon: conn=12 fd=11 connection from PATH= (PATH=/usr/local/var/ldapi)
>accepted.
>conn=12 op=0 SRCH base="dc=rz" scope=1
>filter="(&(objectClass=krb5KDCEntry)(krb5PrincipalName=default@RZ))"
>conn=12 op=0 RESULT tag=101 err=32 text=
>conn=12 op=1 UNBIND
>conn=12 fd=11 closed
>daemon: conn=13 fd=11 connection from PATH= (PATH=/usr/local/var/ldapi)
>accepted.
>conn=13 op=0 SRCH base="dc=rz" scope=1
>filter="(&(objectClass=krb5KDCEntry)(krb5PrincipalName=krbtgt/RZ@RZ))"
>conn=13 op=0 RESULT tag=101 err=32 text=
>conn=13 op=1 ADD dn="cn=krbtgt/rz@rz,dc=rz"
>conn=13 op=1 RESULT tag=105 err=1 text=modifications require
>authentication
>conn=13 op=2 UNBIND
>conn=13 fd=11 closed
>....
> 
> 
>The database is empty.
>Where I have to set the authentication? I canīt remember.
>
>
>Ralf

--
Luke Howard | lukehoward.com
PADL Software | www.padl.com