[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Problem with K5KEY implementation
Hello,
I'm having a problem with OpenLDAP using Heimdal Kerberos via the
{K5KEY} entry in userPassword. The problem is with the second KDC, works
fine on the master LDAP/KDC just not the second one.
Some info:
This is an OpenLDAP server with Heimdal storing Kerberos stuff in LDAP.
Master (mbauth01) Slave (mblauth02)
OSs: CentOS5
OpenLDAP 2.3.39
Heimdal 1.0.1
On the second KDC I can use kadmin -l and do klist -l Princ and get
results fine, so I know that the KDC can talk to the LDAP backend via
ldapi.
I don't think it is acls because I removed all and get the same result.
>From a remote machine if I search the master:
ldapsearch -Z -x -h mblauth01.mbl.edu -b ou=users,dc=mbl,dc=edu -D
cn=<some user>,ou=users,dc=mbl,dc=edu -w <krb5 password> cn=<user> cn
I get results
>From a remote machine if I search the slave:
ldapsearch -Z -x -h mblauth02.mbl.edu -b ou=users,dc=mbl,dc=edu -D
cn=<some user>,ou=users,dc=mbl,dc=edu -w <krb5 password> cn=<user> cn
I get:
ldap_bind: Invalid credentials (49)
It doesn't look like the mechanism in LDAP that refers userPassword with
{K5KEY} to KDC is working on the slave machine. A couple things might
cause this to fail.
The {K5KEY} entry never made it from the Master to the slave via
syncrepl. I verified that the entries are there. I also changed a
password using kadmin cpw and verified that the change was replicated to
the slave and they were.
Any suggestions on how to troubleshoot this or get it working.
Couple things about slapd.conf. I added write access to ldapi which
should be read on the slave. The password-hash directive not quite sure
what that should be set at. On the master it works fine with this
omitted.
slapd.conf on slave:
include /opt/openldap-2.3.39/etc/openldap/schema/core.schema
include /opt/openldap-2.3.39/etc/openldap/schema/cosine.schema
include /opt/openldap-2.3.39/etc/openldap/schema/inetorgperson.schema
include /opt/openldap-2.3.39/etc/openldap/schema/nis.schema
include /opt/openldap-2.3.39/etc/openldap/schema/autofs.schema
include /opt/openldap-2.3.39/etc/openldap/schema/samba.schema
include /opt/openldap-2.3.39/etc/openldap/schema/RADIUS-LDAPv3.schema
include /opt/openldap-2.3.39/etc/openldap/schema/hdb.schema
#include /opt/openldap-2.3.39/etc/openldap/schema/rfc822.schema
include /opt/openldap-2.3.39/etc/openldap/schema/qmail.schema
include /opt/openldap-2.3.39/etc/openldap/schema/mblPerson.schema
schemacheck on
sasl-realm MBL.EDU
sasl-host mblauth02.mbl.edu
sasl-authz-policy both
sasl-regexp "uidNumber=0\\\
+gidNumber=.*,cn=peercred,cn=external,cn=auth"
"cn=admin,ou=users,dc=mbl,dc=edu"
# logLevel 128(ACL proc) + 32(search filter) + 64(config proc)
# loglevel 256(stats log connections/operations/results) + 8 (connection
mamangement)
#loglevel 288
loglevel 64
allow bind_v2
#modulepath /opt/openldap-2.3.39/libexec/openldap
moduleload /opt/openldap-2.3.39/lib/smbk5pwd.la
pidfile /opt/openldap-2.3.39/var/run/slapd.pid
argsfile /opt/openldap-2.3.39/var/run/slapd.args
password-hash {CLEARTEXT} {SSHA} {CRYPT}
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################
database hdb
suffix "dc=mbl,dc=edu"
rootdn "cn=admin,ou=users,dc=mbl,dc=edu"
rootpw "secret"
directory /opt/openldap-2.3.39/var/openldap-data
syncrepl rid=111
provider=ldaps://mblauth01.mbl.edu:636
type=refreshAndPersist
interval=00:00:01:00
scope sub
searchbase="dc=mbl,dc=edu"
bindmethod=simple
updatedn="uid=syncrepl,ou=Users,dc=mbl,dc=edu"
binddn="uid=syncrepl,ou=Users,dc=mbl,dc=edu"
credentials=secret
updateref ldaps://mblauth01.mbl.edu:636
index objectClass eq
index cn pres,sub,eq
index sn pres,sub,eq
index givenName pres,sub,eq
index uid pres,sub,eq
index sambaPrimaryGroupSID eq
index sambaSID eq
index sambaDomainName eq
index uidnumber eq
index gidNumber eq
index sambaHomePath eq
index entryUUID eq
index automountinformation eq
index proxNumber eq
index krb5PrincipalName,krb5PrincipalRealm eq
index memberUid eq
index default sub
limits dn.exact="uid=Devicemgr,ou=users,dc=mbl,dc=edu"
size=unlimited
time=unlimited
limits dn.exact="uid=syncrepl,ou=users,dc=mbl,dc=edu"
size=unlimited
time=unlimited
limits dn.exact="uid=onecard,ou=users,dc=mbl,dc=edu"
size=unlimited
time=unlimited
access to dn.subtree="ou=users,dc=mbl,dc=edu"
attrs=userPassword,sambaNTPassword,sambaLMPassword,proxNumber,employeeNumber
by self read
by sockurl.exact=ldapi:/// write
by dn="uid=syncrepl,ou=users,dc=mbl,dc=edu" write
by dn="cn=proxy,ou=users,dc=mbl,dc=edu" read
by dn="uid=search,ou=users,dc=mbl,dc=edu" read
by
group.exact="cn=sysadmins,ou=SystemGroups,ou=Groups,dc=mbl,dc=edu" read
by anonymous auth
by * none
access to dn.subtree="ou=users,dc=mbl,dc=edu"
attrs=krb5key,krb5EncryptionType,krb5PasswordEnd,krb5KeyVersionNumber,krb5ValidEnd
by sockurl.exact=ldapi:/// write
by dn="cn=proxy,ou=users,dc=mbl,dc=edu" read
by dn="uid=syncrepl,ou=users,dc=mbl,dc=edu" write
by dn="uid=search,ou=users,dc=mbl,dc=edu" read
by
group.exact="cn=sysadmins,ou=SystemGroups,ou=Groups,dc=mbl,dc=edu" read
by self read
by * none
access to dn.subtree="ou=Groups,dc=mbl,dc=edu"
by sockurl.exact=ldapi:/// write
by dn="uid=syncrepl,ou=users,dc=mbl,dc=edu" write
by dn="uid=search,ou=users,dc=mbl,dc=edu" read
by dn="cn=proxy,ou=users,dc=mbl,dc=edu" read
by
group.exact="cn=sysadmins,ou=SystemGroups,ou=Groups,dc=mbl,dc=edu" read
by anonymous auth
by users read
by * none
access to dn.subtree="ou=Devices,ou=Network,dc=mbl,dc=edu"
by sockurl.exact=ldapi:/// write
by dn="uid=syncrepl,ou=users,dc=mbl,dc=edu" write
by dn="uid=search,ou=users,dc=mbl,dc=edu" read
by
group.exact="cn=sysadmins,ou=SystemGroups,ou=Groups,dc=mbl,dc=edu" read
by
group.exact="cn=mac_admins,ou=SystemGroups,ou=Groups,dc=mbl,dc=edu"
read
by anonymous auth
by self read
by * none
access to dn.subtree="ou=Servers,ou=Network,dc=mbl,dc=edu"
by sockurl.exact=ldapi:/// write
by dn="uid=syncrepl,ou=users,dc=mbl,dc=edu" write
by dn="uid=search,ou=users,dc=mbl,dc=edu" read
by
group.exact="cn=sysadmins,ou=SystemGroups,ou=Groups,dc=mbl,dc=edu" read
by anonymous auth
by self read
by * none
access to dn.subtree="ou=Computers,ou=Network,dc=mbl,dc=edu"
by sockurl.exact=ldapi:/// write
by dn="uid=syncrepl,ou=users,dc=mbl,dc=edu" write
by dn="uid=search,ou=users,dc=mbl,dc=edu" read
by
group.exact="cn=sysadmins,ou=SystemGroups,ou=Groups,dc=mbl,dc=edu" read
by anonymous auth
by self read
by * none
access to *
by sockurl.exact=ldapi:/// write
by self read
by dn="cn=proxy,ou=users,dc=mbl,dc=edu" read
by dn="uid=syncrepl,ou=users,dc=mbl,dc=edu" write
by
group.exact="cn=sysadmins,ou=SystemGroups,ou=Groups,dc=mbl,dc=edu" read
by users read
by * none
TLSCipherSuite HIGH:MEDIUM:LOW:+SSLv2+TLSv1
# CA cert file
TLSCACertificateFile /opt/openldap-2.3.39/etc/openldap/cacert.pem
# Signed cert file
TLSCertificateFile /opt/openldap-2.3.39/etc/openldap/newcert.pem
# Private key
TLSCertificateKeyFile /opt/openldap-2.3.39/etc/openldap/newkey.pem
--
Kent L. Nasveschuk
Systems Administrator
Marine Biological Laboratory
7 MBL Street
Woods Hole, MA 02543
Tel. (508) 289-7263