Again: Question about Openldap 2.2.x & Heimdal 0.6-LDAP-backend

[Harry Rüter <harry_rueter@gmx.de>]

Hi everybody,

i'm fighting with the problem how to configure
Heimdal 0.6 to use openldap-2.2.x as backend.

First - as always - my setup :

Suse Linux 8.2
openssl 0.9.6l
openldap-2.2.4
heimdal 0.6


Here's my slapd.conf :
---snipp---
include		/usr/local/ldap-2.2/etc/openldap/schema/core.schema
include		/usr/local/ldap-2.2/etc/openldap/schema/corba.schema
include		/usr/local/ldap-2.2/etc/openldap/schema/cosine.schema
include		/usr/local/ldap-2.2/etc/openldap/schema/dyngroup.schema
include		/usr/local/ldap-2.2/etc/openldap/schema/inetorgperson.schema
include		/usr/local/ldap-2.2/etc/openldap/schema/java.schema
include		/usr/local/ldap-2.2/etc/openldap/schema/krb5-kdc-stanford.schema
include		/usr/local/ldap-2.2/etc/openldap/schema/misc.schema
include		/usr/local/ldap-2.2/etc/openldap/schema/nis.schema
include		/usr/local/ldap-2.2/etc/openldap/schema/openldap.schema
include		/usr/local/ldap-2.2/etc/openldap/schema/samba.schema

TLSCACertificateFile  /etc/certificates/cacert.pem
TLSCertificateFile    /etc/certificates/pentium200cert.pem
TLSCertificateKeyFile /etc/certificates/pentium200key.pem
TLSVerifyClient       try

pidfile		/usr/local/ldap-2.2/var/run/slapd.pid
argsfile	/usr/local/ldap-2.2/var/run/slapd.args

modulepath	/usr/local/ldap-2.2/libexec/openldap
moduleload	back_bdb.la
moduleload	back_monitor.la

database	bdb
suffix		"dc=hrnet,dc=de"
rootdn		"cn=ldapmanager,dc=hrnet,dc=de"
rootpw		blahblah
directory	/usr/local/ldap-2.2/var/openldap-data
index	objectClass	eq

access to *
       by sockurl="^ldapi:///$" write


database        monitor
suffix		"dc=monitor"
rootdn		"cn=ldapmanager,dc=monitor"
rootpw		secret

access to *
       by * read
---snipp---

Here's my krb5.conf :

---snipp---
[libdefaults]
        default_realm = HRNET.DE
	clockskew = 300
	gss_mit_compat = true
	
[realms]
	HRNET.DE = {
		kdc            = pentium200.hrnet.de
		kpasswd_server = pentium200.hrnet.de
		admin_server   = pentium200.hrnet.de
	}

[domain_realm]
	.my.domain = HRNET.DE

[kdc]
        database = {
          dbname = ldap:ou=KerberosPrincpals,o=myorganization,dc=hrnet,dc=de
          mkey_file = /var/heimdal/m-key
        }
	
---snipp---

So , any mistake in configuration ?
I can't find one , as it's configured as described
on www.padl.com ...

I try to init my REALM :

---snipp---
Pentium200:/usr/local/heimdal/sbin # ./kadmin -l
kadmin> init HRNET.DE
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin: kadm5_create_principal: ldap_add_s: Strong(er) authentication required
Pentium200:/usr/local/heimdal/sbin #
---snipp---

You see the errormessage , stronger authentification is required.

Here's what's shown in the logfile of slapd when trying the above :

---snipp---
[..]
Feb 10 21:50:39 Pentium200 slapd-master[804]: conn=23 op=0 SRCH 
base="ou=KerberosPrincpals,o=myorganization,dc=hrnet,dc=de" scope=1 deref=0 
filter="(&(objectClass=krb5KDCEntry)(krb5PrincipalName=default@HRNET.DE))"
Feb 10 21:50:39 Pentium200 slapd-master[804]: conn=23 op=0 SRCH 
attr=krb5PrincipalName cn krb5PrincipalRealm krb5KeyVersionNumber krb5Key 
krb5ValidStart krb5ValidEnd krb5PasswordEnd krb5MaxLife krb5MaxRenew 
krb5KDCFlags krb5EncryptionType modifiersName modifyTimestamp creatorsName 
createTimestamp
Feb 10 21:50:39 Pentium200 slapd-master[804]: conn=23 op=0 SEARCH RESULT tag=101 
err=32 nentries=0 text=
Feb 10 21:50:39 Pentium200 slapd-master[805]: conn=23 op=1 ADD 
dn="cn=default@hrnet.de,ou=KerberosPrincpals,o=myorganization,dc=hrnet,dc=de"
Feb 10 21:50:39 Pentium200 slapd-master[805]: conn=23 op=1 RESULT tag=105 err=8
text=modifications require authentication
Feb 10 21:50:39 Pentium200 slapd-master[805]: conn=23 op=2 UNBIND
Feb 10 21:50:39 Pentium200 slapd-master[805]: conn=23 fd=13 closed
---snipp---

" modifications  require authentication" nearly the same as the errormessage
from kadmin says ...

Okay, so tell me please how i can configure a stronger configuration.


greets Harry