[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal-0.6.5 / hdb-ldap / kadmin remote

Marco Hoehle <MHO@zurich.ibm.com> writes:

> Hi,
> we have strange behaviours with remote accessing kadmin when using hdb-ldap
> backend and I have no more idea what to do.
> Problem description:
> heimdal-0.6.5 on SLES9 ppc64
> kadmin does not allow remote kadmin in conjunction with hdb-ldap backend.
> the kadmind.acl seems to be correct, because if we switch to heimdal.db
> file, the remote kadmin is working fine.
> The ldap backend seems to work correct, because with kadmin -l we can see
> all the principals and kinit / afslog / gssapi /  etc is also working as
> expected.
> About the SASL regexp they seems to be correct, in the log I have the
> correct user accessing via ldapi.
> What I am wondering about is
> 1) sure: why does kadmin remote not work (am I missing something, patch ?
> wrong config ? ), am I alone with this problem ?

Not sure, did you ever find out the answer ? If not, care to set breakpoint
in _kadm5_acl_check_permission() and try to figure out what goes wrong ?

> 2) why is in hdb-ldap.c LDAP_SEARCH_ONELEVEL implemented and not
> LDAP_SEARCH_SCOPE (for testing I used a unmodified version of hdb-ldap.c,
> but the patch is already there :) )

I've changed this to LDAP_SEARCH_SCOPE in 0.7.


PGP signature