[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ldap <--> heimdal again

On Mon, Mar 14, 2005 at 06:05:28PM +0500, Ilia Chipitsine wrote:
> >	I use:
> >
> >/etc/rc.conf:
> ># LDAP
> >slapd_enable="YES"
> >slapd_flags='-d 255 -h "ldapi:/// ldap:/// ldaps:///"'
> >slapd_sockets="/var/run/openldap/ldapi"
> 
> yeah! :-)
> there's a guy running FreeBSD as well and he is going to help me!
> 
> ... hmm, so, slapd is listening at /var/run/openldap/ldapi socket ?
> that is default socket and I checked, before I changed rc.conf options to
> /var/lib/ldapi, my installation of slapd was definetely listening it!
> 
> >>>collection.
> >>>
> >>>1) how can I specify path to the socket openldap is listening on ?
> >
> >	In /etc/rc.conf ( FreeBSD box )
> 
> the question was "how does heimdal recognize where to look for that socket 
> ?"

	Hardcoded in 
	/usr/ports/security/heimdal/work/heimdal-0.6.3/lib/hdb/hdb-ldap.c

	rc = ldap_initialize((LDAP **) & db->db, "ldapi:///");

> 
> >>>It seems that is's expecting /var/heimdal/kdc.conf, where can I find
> >>>information on configuring that file ?
> >
> >	I configured the kdc in /etc/krb5.conf
> >
> >[kdc]
> >   database = {
> >       realm = UNICAMP.BR
> >       dbname = ldap:ou=kerberos,dc=yyyy,dc=xx
> >       mkey_file = /xxxx/heimdal/m-key
> >       acl_file = /xxxx/heimdal/kdc.acl
> >       log_file = /xxxx/heimdal/db.log
> >   }
> 
> pretty much looks like my configuration!
> 
> but it doesn't say anything about /var/run/openldap/ldapi ... so, how
> does heimdal knows where to find socket ?

	Hardcoded

> 
> also, I attached kdc.log (krb5kdc.log in my case), heidmail complains
> that file could not be found. Is it ok with your config ?

	Yes	
	I think! :-)

	kdc-database-log_file is /xxxx/heimdal/db.log and
	kdc-messages-log is SYSLOG

[logging]
    kdc = SYSLOG
    admin_server = SYSLOG
    default = SYSLOG

See http://www.opentechnet.com/auth-howto/ is a good read

> 
> >
> >
> >>>
> >>>3) It seems that heimdal cannot find ldap configuration. What did I do
> >>>wrong ?
> >
> >	You can create link to /etc/ldap.conf
> >
> >	ln -s /usr/local/etc/openldap/ldap.conf /etc/ldap.conf
> 
> so, heimdal also requires /etc/ldap.conf ?
> 
> hmm, why doesn't it complain that it cannot find such file than ?

	I don't know
> 
> >
> >>>
> >>>4) when I tried to initialize database
> >
> >	Include the follow acl for installation
> >
> >	access to *
> >       by sockurl="ldapi:///" write
> 
> yes, that is already done. thanks.
> 
> >
> >>>
> >>>sol# kadmin -l
> >>>kadmin> init CHEL.SKBKONTUR.RU
> >>>Realm max ticket life [unlimited]:
> >>>Realm max renewable ticket life [unlimited]:
> >>>kadmin: kadm5_create_principal: ldap_add_s: Can't contact LDAP server
> >>>sol#
> >>>
> >>>it seems there are errors, but how can I make it more verbose ?
> >>>I see nothing strange in logs, so I've no idea what did I do wrong.
> >>>Somebody, please, enlight me, how can I turn on debugging ?
> >>>
> >>>Cheers,
> >>>Ilia Chipitsine
> >>>
> >