[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: kadmin: kadm5_create_principa: ldap_add_s: Can't contact LDAP server



I'm confused now...
I've posted a question 'which mechanism is used to
store the principals' credentials in ldap backend' on
this mailing list a few days ago (see the excerpts of
the discussion below). And from the discussion, I
concluded that it's simple bind.

Or maybe I misunderstood what Gemes Geza means. Maybe
the storing is done with SASL/EXTERNAL mech while
searching is done using simple bind ?

Anyway, init the database using kadmin still results
in 
kadmin: kadm5_create_principal: ldap_add_s: Can't
contact LDAP server.
# kadmin -l
kadmin> init LARAS.COM
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin: kadm5_create_principal: ldap_add_s: Can't
contact LDAP server

-lara-

Below is the excerpt of the mail:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Lara Adianto írta:
| Hi Geza,
|
| Will it work in Linux platform as well ?
| I have read the HOWTO on the link you provided
actually.
| But it doesn't really satisfy me :-)
|
| kdc#* ldapsearch -L -h localhost -D cn=manager \**
|  -w secret** -b ou=KerberosPrincipals,dc=padl,dc=com
\
|  'objectclass=krb5KDCEntry'*
|
| Does it mean that we MUST use simple bind ?

Yes, but it is over a 700 mode uid 0 and gid 0 socket
file , so it is
not less secure, than accessing a root owned file
based kerberos
database. Anyway kerberos is a protocol designed to
solve the problem of
some secure hosts connected by an insecure network. So
if your KDC
machine gets compromised anything is lost no mather if
you are using
LDAP or not.

| Thank you,
| lara
| */Gémes_Géza <geza@kzsdabas.sulinet.hu>/* wrote:
|
| Lara Adianto írta:
| | Hi,
| |
| | This is probably a basic question but well, I
haven't
| | got any satisfactory information on the net, so I
post
| | it anyway here.
| |
| | I read somewhere in the net that using ldap as the
| | backend of heimdal might degrade the security
feature
| | of kerberos. Is this right ? If yes, then in which
| | situation will we prefer to use ldap backend
instead
| | of the local dbase ?
| |
| | Using ldap as the heimdal's backend, how would the
| | search be conducted through ldap ? With simple
bind ?
| | SASL mechanism ?
| |
| With proper access control lists defined in ldap
configuration the risk
| is minimal. The LDAP connection is realized over a
UNIX domain socket,
| so Heimdal and LDAP server must run on the same
host.
| Recomended reading:
| http://www.padl.com/Research/Heimdal.html


Cheers,

Geza
--- Howard Chu <hyc@highlandsun.com> wrote:
> Exactly.
> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director,
> Highland Sun
>   http://www.symas.com              
> http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support 
> 
> > -----Original Message-----
> > From: Lara Adianto [mailto:m1r4cle_26@yahoo.com]
> > Sent: Friday, April 09, 2004 8:46 PM
> > To: Howard Chu
> > Subject: RE: kadmin: kadm5_create_principa:
> ldap_add_s: Can't contact
> > LDAP server
> > 
> > 
> > Hi Howard,
> > 
> > >Furthermore, Heimdal's hdb-ldap backend uses
> > >SASL/EXTERNAL so you must be able to verify this
> > >method using ldapsearch if you want hdb-ldap to 
> > >work.
> > 
> > Does this mean that storing the principal's
> > credentials in LDAP backend is done by using
> > SASL/EXTERNAL and not using simple bind ?
> > 
> > -lara-
> > 
> > --- Howard Chu <hyc@highlandsun.com> wrote:
> > > > -----Original Message-----
> > > > From: owner-heimdal-discuss@sics.se
> > > > [mailto:owner-heimdal-discuss@sics.se]On
> Behalf Of
> > > Gimes Giza
> > > 
> > > > Recent openldap client software wants to auth
> by
> > > sasl by
> > > > default. Please disble it specifying the -x
> flag.
> > > >
> > > > ldapsearch -H 'ldapi:///' -x
> > > 
> > > No.
> > > 
> > > Changing the Bind method will not affect an
> "Unable
> > > to contact the server"
> > > error. Obviously if the client cannot connect,
> then
> > > its choice of Bind method
> > > is irrelevant.
> > > 
> > > Furthermore, Heimdal's hdb-ldap backend uses
> > > SASL/EXTERNAL so you must be
> > > able to verify this method using ldapsearch if
> you
> > > want hdb-ldap to work.
> > > 
> > >   -- Howard Chu
> > >   Chief Architect, Symas Corp.       Director,
> > > Highland Sun
> > >   http://www.symas.com              
> > > http://highlandsun.com/hyc
> > >   Symas: Premier OpenSource Development and
> Support
> > > 
> > 
> > 
> > =====
> >
>
--------------------------------------------------------------
> > ---------------------- 
> > La vie, voyez-vous, ca n'est jamais si bon ni si
> mauvais qu'on croit
> >                                                   
>            
> >           - Guy de Maupassant -
> >
>
--------------------------------------------------------------
> > ----------------------
> > 
> > __________________________________
> > Do you Yahoo!?
> > Yahoo! Tax Center - File online by April 15th
> > http://taxes.yahoo.com/filing.html


=====
------------------------------------------------------------------------------------ 
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
                                                                        - Guy de Maupassant -
------------------------------------------------------------------------------------

__________________________________
Do you Yahoo!?
Yahoo! Tax Center - File online by April 15th
http://taxes.yahoo.com/filing.html