[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
heimdal-0.6.5 / hdb-ldap / kadmin remote

To: heimdal-discuss@sics.se
Subject: heimdal-0.6.5 / hdb-ldap / kadmin remote
From: Marco Hoehle <MHO@zurich.ibm.com>
Date: Fri, 25 Nov 2005 16:50:13 +0100
Sender: owner-heimdal-discuss@sics.se

Hi,

we have strange behaviours with remote accessing kadmin when using hdb-ldap
backend and I have no more idea what to do.


Problem description:

heimdal-0.6.5 on SLES9 ppc64
kadmin does not allow remote kadmin in conjunction with hdb-ldap backend.

the kadmind.acl seems to be correct, because if we switch to heimdal.db
file, the remote kadmin is working fine.
The ldap backend seems to work correct, because with kadmin -l we can see
all the principals and kinit / afslog / gssapi /  etc is also working as
expected.

About the SASL regexp they seems to be correct, in the log I have the
correct user accessing via ldapi.

What I am wondering about is

1) sure: why does kadmin remote not work (am I missing something, patch ?
wrong config ? ), am I alone with this problem ?
2) why is in hdb-ldap.c LDAP_SEARCH_ONELEVEL implemented and not
LDAP_SEARCH_SCOPE (for testing I used a unmodified version of hdb-ldap.c,
but the patch is already there :) )

A little hint, or help would be great.

Thanks a lot in advance

Marco Hoehle

P.S.: I don't want to use this in a samba environment. But maybe it's
something with the filter ?



Here are the logs of a failed session :

kadmin> list *
kadmin: get *: Operation requires `get' privilege
kadmin>

---------------- kadmind.log -----------------------
2005-11-25T15:54:43 admin/admin@UNIX.ZURICH.IBM.COM: LIST *
2005-11-25T15:54:43 LIST: ldap_search_s: No such object
2005-11-25T15:54:43 admin/admin@UNIX.ZURICH.IBM.COM: GET *@UNIX.ZURICH.IBM.COM
2005-11-25T15:54:43 GET: Operation requires `get' privilege

------------------ kadmind.acl ---------------------
admin/admin@UNIX.ZURICH.IBM.COM all

------------------ kadmin -l -------------------------
kadmin> list *admin*
  kadmin/changepw@UNIX.ZURICH.IBM.COM
  kadmin/admin@UNIX.ZURICH.IBM.COM
  kadmin/hprop@UNIX.ZURICH.IBM.COM
  admin/admin@UNIX.ZURICH.IBM.COM
kadmin>

----------------------- kdc.conf /krb5.conf -------------
database = {
                realm  = UNIX.ZURICH.IBM.COM
                dbname = ldap:ou=kdc,dc=unix,dc=zurich,dc=ibm,dc=com
                mkey_file = /var/heimdal/m-key
                log_file = /var/heimdal/ldap.log
}

------------------------ ldap logfile snippet for kadmin -l ---
Nov 25 15:57:22 font slapd[10844]: conn=1522 fd=13 ACCEPT from PATH=§   ^DF (PATH=/var/run/slapd/ldapi)
Nov 25 15:57:22 font slapd[10844]: conn=1522 op=0 BIND dn="" method=163
Nov 25 15:57:22 font slapd[10844]: conn=1522 op=0 BIND authcid="uidnumber=0+gidnumber=0,cn=peercred,cn=external,cn=auth@UNIX.ZURICH.IBM.COM"
Nov 25 15:57:22 font slapd[10844]: conn=1522 op=0 BIND dn="krb5PrincipalName=admin/admin@unix.zurich.ibm.com,ou=kdc,dc=unix,dc=zurich,dc=ibm,dc=com"
mech=EXTERNAL ssf=0
Nov 25 15:57:22 font slapd[10844]: conn=1522 op=1 SRCH base="ou=kdc,dc=unix,dc=zurich,dc=ibm,dc=com" scope=2 deref=0
filter="(objectClass=krb5KDCEntry)"
Nov 25 15:57:22 font slapd[10844]: conn=1522 op=1 SRCH attr=krb5PrincipalName cn krb5PrincipalRealm krb5KeyVersionNumber krb5Key krb5ValidStart
krb5ValidEnd krb5PasswordEnd krb5MaxLife krb5MaxRenew krb5KDCFlags krb5EncryptionType modifiersName modifyTimestamp creatorsName createTimestamp
Nov 25 15:57:22 font slapd[10844]: conn=1522 op=2 SRCH base="krb5PrincipalName=admin/admin@unix.zurich.ibm.com,ou=kdc,dc=unix,dc=zurich,dc=ibm,dc=com"
 scope=0 deref=0 filter="(objectClass=krb5Principal)"
Nov 25 15:57:22 font slapd[10844]: conn=1522 op=2 SRCH attr=krb5PrincipalName cn krb5PrincipalRealm modifiersName modifyTimestamp creatorsName
createTimestamp
Nov 25 15:57:22 font slapd[10844]: conn=1522 op=1 SEARCH RESULT tag=101 err=0 nentries=7 text=
Nov 25 15:57:22 font slapd[10844]: conn=1522 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
Nov 25 15:57:22 font slapd[10844]: conn=1522 op=3 SRCH base="krb5PrincipalName=admin/admin@unix.zurich.ibm.com,ou=kdc,dc=unix,dc=zurich,dc=ibm,dc=com"
 scope=0 deref=0 filter="(objectClass=krb5Principal)"
... etc ...
--------------------------- ldap logfile snippet for kadmin (remote) -----

Nov 25 15:58:47 font slapd[10844]: conn=1537 fd=13 ACCEPT from PATH=§   ^DF (PATH=/var/run/slapd/ldapi)
Nov 25 15:58:47 font slapd[10844]: conn=1537 op=0 BIND dn="" method=163
Nov 25 15:58:47 font slapd[10844]: conn=1537 op=0 BIND authcid="uidnumber=0+gidnumber=0,cn=peercred,cn=external,cn=auth@UNIX.ZURICH.IBM.COM"
Nov 25 15:58:47 font slapd[10844]: conn=1537 op=0 BIND dn="krb5PrincipalName=admin/admin@unix.zurich.ibm.com,ou=kdc,dc=unix,dc=zurich,dc=ibm,dc=com"
mech=EXTERNAL ssf=0
Nov 25 15:58:47 font slapd[10844]: conn=1537 op=1 SRCH base="ou=kdc,dc=unix,dc=zurich,dc=ibm,dc=com" scope=2 deref=0
filter="(&(objectClass=krb5KDCEntry)(krb5PrincipalName=kadmin/admin@UNIX.ZURICH.IBM.COM))"
Nov 25 15:58:47 font slapd[10844]: conn=1537 op=1 SRCH attr=krb5PrincipalName cn krb5PrincipalRealm krb5KeyVersionNumber krb5Key krb5ValidStart
krb5ValidEnd krb5PasswordEnd krb5MaxLife krb5MaxRenew krb5KDCFlags krb5EncryptionType modifiersName modifyTimestamp creatorsName createTimestamp
Nov 25 15:58:47 font slapd[10844]: conn=1537 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Nov 25 15:58:47 font slapd[10844]: conn=1537 op=2 SRCH base="krb5PrincipalName=admin/admin@unix.zurich.ibm.com,ou=kdc,dc=unix,dc=zurich,dc=ibm,dc=com"
 scope=0 deref=0 filter="(objectClass=krb5Principal)"
Nov 25 15:58:47 font slapd[10844]: conn=1537 op=2 SRCH attr=krb5PrincipalName cn krb5PrincipalRealm modifiersName modifyTimestamp creatorsName
createTimestamp
Nov 25 15:58:47 font slapd[10844]: conn=1537 op=2 SEARCH RESULT tag=101 err=32 nentries=0 text=
Nov 25 15:58:47 font slapd[10844]: conn=1537 op=3 SRCH base="krb5PrincipalName=admin/admin@unix.zurich.ibm.com,ou=kdc,dc=unix,dc=zurich,dc=ibm,dc=com"
 scope=0 deref=0 filter="(objectClass=krb5Principal)"
Nov 25 15:58:47 font slapd[10844]: conn=1537 op=3 SRCH attr=krb5PrincipalName cn krb5PrincipalRealm modifiersName modifyTimestamp creatorsName
createTimestamp
Nov 25 15:58:47 font slapd[10844]: conn=1537 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text=
Nov 25 15:58:47 font slapd[10844]: conn=1537 op=4 UNBIND
Nov 25 15:58:47 font slapd[10844]: conn=1537 fd=13 closed
-----------------------------------------------------------------------------------



--- sasl regexp -------- ldapi mapping
saslRegexp
    "uidnumber=0\\\+gidnumber=.*,cn=peercred,cn=external,cn=auth.*"
    "krb5PrincipalName=admin/admin@unix.zurich.ibm.com,ou=kdc,dc=unix,dc=zurich,dc=ibm,dc=com"
Prev by Date: Re: Marshall Works Wonder
Next by Date: Re: Processing keytab in memory
Prev by thread: Re: Marshall Works Wonder
Next by thread: gss_krb5_import_creds can't work with memory keytab
Index(es):
- Date
- Thread