[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Heimdal/OpenLDAP/Samba howto and bugreport
On Thu, 2004-05-27 at 17:53, Love wrote:
> Tarjei Huse <tarjei@nu.no> writes:
>
> > Ok, when I now try to use kadmin I get the following errors:
> > 2004-05-27T17:06:41 No PA-ENC-TIMESTAMP -- tarjei/admin@NU.NO
> > 2004-05-27T17:06:41 AS-REQ tarjei/admin@NU.NO from IPv4:127.0.0.1 for
> > kadmin/admin@NU.NO
> > 2004-05-27T17:06:41 Bad address list requested -- tarjei/admin@NU.NO
> >
> > To help kerberos find tarjei/admin I had to add an extra uid
> > (uid:tarjei/admin) to the dn that Heimdal looks up .
> Make the address to the kdc not resolve to 127.0.0.1, but your real address
> for the machine, and it should work just fine.
Yep, it did. Thank for the tip.
Here's the patch, this time with some content. As I said, it adds a
searchbase to the configparams and searches for both account and
interorgperson instead of just account. If you like the patch, I'll
modify it so that the search will also search for structural_object if
that differs from account.
Now, I've managed to run kadmin add --random-key ldap/<fqdn> without
errors. However I got this error when doing ext:
kadmin> ext host/elprinsessekaja.mail2.bergfald.no
kadmin: krb5_kt_add_entry: failed to add entry to (null)
More is comming.
Btw: I've put the howto here for now:
https://sec.miljovern.no/bin/view/Info/HeimdalKerberosSambaAndOpenLdap
Tarjei
>
> I'll go the rest of the issue later, now food.
>
> Love
--- hdb-ldap.c.orig 2004-05-27 17:10:44.000000000 +0200
+++ hdb-ldap.c 2004-05-28 11:19:01.000000000 +0200
@@ -53,7 +53,7 @@
static const char *default_structural_object = "account";
static char *structural_object;
static krb5_boolean samba_forwardable;
-
+static char *searchbase;
/*
*
*/
@@ -469,8 +469,8 @@
}
}
- if (is_heimdal_entry && ent->kvno != orig.kvno) {
- rc = asprintf(&tmp, "%d", ent->kvno);
+ if (is_heimdal_entry && (ent->kvno != orig.kvno || is_new_entry)) {
+ rc = asprintf(&tmp, "%d", ent->kvno);
if (rc < 0) {
krb5_set_error_string(context, "asprintf: out of memory");
ret = ENOMEM;
@@ -804,9 +804,9 @@
filter = NULL;
ldap_msgfree(*msg);
*msg = NULL;
-
+ /* TODO: instead of just account and inetorgperson we should allow for a list of objects. */
rc = asprintf(&filter,
- "(&(objectclass=account)(uid=%s))",
+ "(&(|(objectclass=account)(objectclass=inetorgperson))(uid=%s))",
userid);
if (rc < 0) {
krb5_set_error_string(context, "asprintf: out of memory");
@@ -818,7 +818,7 @@
if (ret)
goto out;
- rc = ldap_search_s(HDB2LDAP(db), db->hdb_name, LDAP_SCOPE_SUBTREE,
+ rc = ldap_search_s(HDB2LDAP(db), searchbase, LDAP_SCOPE_SUBTREE,
filter, krb5kdcentry_attrs, 0, msg);
if (rc != LDAP_SUCCESS) {
krb5_set_error_string(context, "ldap_search_s: %s",
@@ -1724,6 +1724,29 @@
(*db)->hdb__del = NULL;
(*db)->hdb_destroy = LDAP_destroy;
+ /* hdb-ldap-searchbase
+ * If set: Use that when looking for sambaentries ("normal" principals stay where they are)
+ * Else: Try to use hdb->name, as that's what was done earlier.
+ * If hdb->name is null, it will look in /etc/openldap/ldap.conf as this is the default way for OpenLdap.
+ * */
+ if (searchbase == NULL) {
+ const char *e;
+
+ e = krb5_config_get_string(context, NULL, "kdc",
+ "hdb-ldap-searchbase", NULL);
+ if (e == NULL) {
+ e = (*db)->hdb_name;
+ }
+ searchbase = strdup(e);
+ if (searchbase == NULL) {
+ krb5_set_error_string(context, "malloc: out of memory");
+ return ENOMEM;
+ }
+ free (e);
+ }
+
+
+
return 0;
}