[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[manpage PATCH] Re: ldap backend syntax

To: heimdal-discuss@sics.se
Subject: [manpage PATCH] Re: ldap backend syntax
From: Andreas Hasenack <ahasenack@terra.com.br>
Date: Thu, 16 Mar 2006 14:46:13 -0300
In-Reply-To: <20060316143844.GE3386@mandriva.com>
References: <20060316135859.GA3386@mandriva.com> <20060316143844.GE3386@mandriva.com>
Sender: owner-heimdal-discuss@sics.se
User-Agent: Mutt/1.5.11

On Thu, Mar 16, 2006 at 11:38:45AM -0300, Andreas Hasenack wrote:
> On Thu, Mar 16, 2006 at 10:59:00AM -0300, Andreas Hasenack wrote:
> > version 0.7.2 on linux
> > 
> > I'm using this in krb5.conf, according to the documentation at heimdal's
> > site:
> > [kdc]
> >         database = {
> >                 dbname = ldap:ou=People,dc=mycnc,dc=com
> >         }
> >         #hdb-ldap-structural-object = person
> >         hdb-ldap-create-base = ou=people,dc=mycnc,dc=com
> > 
> > The weird thing is that there is a *file* called
> > "ldap:ou=People,dc=mycnc,dc=com" in /var/heimdal and, it seems, wherever
> > I happen to run "kadmin -l" from (when running init). Is this syntax
> > correct?
> > 
> > Furthermore, while strace()ing kadmind for another problem, I noticed it
> > tries to open this "ldap:ou=People,dc=mycnc,dc=com" in the current
> > directory.
> > 
> > I have a feeling this syntax is incorrect... Or is it not? Is this
> > expected?
> 
> This seems so wrong... Excerpt from strace of kadmind:
> 10428 time(NULL)                        = 1142519719
> 10428 open("ldap:ou=People,dc=mycnc,dc=com.mkey", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
> 10428 socket(PF_FILE, SOCK_DGRAM, 0)    = 4
> 10428 open("ldap:ou=People,dc=mycnc,dc=com.acl", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
> 10428 read(0, "\0\0\0\\", 4)            = 4
> 
> The other problem I was having was kadmind ignoring my acls (that's why I was stracing it).
> Turns out that if I rename kadmind.acl to ldap:ou=People,dc=mycnc,dc=com.acl it works.

The default values are not what the manpage says. That is, if
not supplied, acl_file defaults to the database name + ".acl".

May I suggest the following patches krb5.conf.5 and kadmind.8:

--- heimdal-0.7.2/lib/krb5/krb5.conf.5.orig     2006-03-16 14:38:16.000000000 -0300
+++ heimdal-0.7.2/lib/krb5/krb5.conf.5  2006-03-16 14:40:30.000000000 -0300
@@ -363,8 +363,11 @@
 If not specified
 .Va DATABASENAME Ns .mkey
 will be used.
-.It Li acl_file Li = PA FILENAME
+.It Li acl_file Li = Pa FILENAME
 Use this file for the ACL list of this database.
+If not specified
+.Va DATABASENAME Ns .acl
+will be used.
 .It Li log_file Li = Pa FILENAME
 Use this file as the log of changes performed to the database.
 This file is used by
--- heimdal-0.7.2/kadmin/kadmind.8.orig 2006-03-16 14:42:17.000000000 -0300
+++ heimdal-0.7.2/kadmin/kadmind.8      2006-03-16 14:44:18.000000000 -0300
@@ -84,8 +84,9 @@
 .Pp
 Principals are always allowed to change their own password and list
 their own principal.  Apart from that, doing any operation requires
-permission explicitly added in the ACL file
-.Pa /var/heimdal/kadmind.acl .
+permission explicitly added in the ACL file which, if not specified
+otherwise in krb5.conf, is
+.Pa /var/heimdal/DATABASENAME.acl .
 The format of this file is:
 .Bd -ragged
 .Va principal
@@ -155,7 +156,7 @@
 .El
 .\".Sh ENVIRONMENT
 .Sh FILES
-.Pa /var/heimdal/kadmind.acl
+.Pa /var/heimdal/DATABASENAME.acl
 .Sh EXAMPLES
 This will cause
 .Nm

References:
- ldap backend syntax
  - From: Andreas Hasenack <ahasenack@terra.com.br>
- Re: ldap backend syntax
  - From: Andreas Hasenack <ahasenack@terra.com.br>

Prev by Date: Re: ldap backend syntax
Next by Date: krb5_mk_req is returning some weird krb5 error.
Prev by thread: Re: ldap backend syntax
Next by thread: krb5_mk_req is returning some weird krb5 error.
Index(es):
- Date
- Thread