[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: hdb-ldap backend and Samba integration

On Wed, 2006-12-13 at 16:39 +0100, Laurent Pinchart wrote:
> Hi everybody.
> Disclaimer: I'm new to Heimdal and Kerberos in general. Despite having read 
> lots of documentation (down to the Kerberos RFCs), I might still ask 
> newbie-level questions.
> I'm trying to setup Heimdal, LDAP and Samba to play together. After a week 
> spent reading various sources of documentation, and installing a Heimdal 
> Kerberos KDC, I think I found the right way to go.
> I installed OpenLDAP-2.3.29, Heimdal-0.7.2 and Samba. Heimdal is configured 
> with the LDAP backend, which works properly. I'm able to add principals to 
> the realm, things are fine so far.
> To integrate Heimdal and Samba, I plan to use the smbk5pwd overlay on OpenLDAP 
> which changes all the user credentials (Samba hashes and Kerberos hashes) 
> itself when an password change extended operation is requested. This requires 
> Heimdal principal information and Samba account information to be stored in a 
> single common entry in the LDAP directory.

Has someone revived that module?  I asked for it to be written, then
never actually used it.  Last I heard it has bitrotted.  It would be
great news it if was going again.

> To achieve that, I tried to set hdb-ldap-structural-object to inetOrgPerson 
> instead of the default value "account". I ran into two problems.
> First, the directive should be inside the database = { ... } group according 
> the documentation. However, I found out that Heimdal-0.7.2 looks in the [kdc] 
> section itself. Is that a bug ?
> Then, after successfully setting hdb-ldap-structural-object to inetOrgPerson 
> in the configuration file, OpenLDAP complains when adding a principal.
> root@kdc:~# kadmin -l
> kadmin> add laurent
> Max ticket life [1 day]:
> Max renewable life [1 week]:
> Principal expiration time [never]:
> Password expiration time [never]:
> Attributes []:
> laurent@TECHNOTRADE.BIZ's Password:
> Verifying - laurent@TECHNOTRADE.BIZ's Password:
> kadmin: kadm5_create_principal: ldap_add_s: laurent@TECHNOTRADE.BIZ 
> (dn=krb5PrincipalName=laurent@TECHNOTRADE.BIZ,ou=People,dc=technotrade,dc=biz) 
> Object class violation: object class 'inetOrgPerson' requires attribute 'sn'
> kadmin: adding laurent: Insufficient access to lock database
> Nothing wrong there in OpenLDAP. The sn attribute is required. I'm 
> unfortunately blocked by the problem.
> What should I do ? Should I use another object class ? Should kadmin somehow 
> set the sn attribute ? Should I use another method to add a principal ? 

You should add the principal using your normal LDAP administration
tools, so that you can fill in many more details.  Then add the kerberos
bits with kadmin, if you can't do that any other way.  

Andrew Bartlett
Andrew Bartlett <abartlet@samba.org>

This is a digitally signed message part