[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: kadmin: kadm5_create_principa: ldap_add_s: Can't contact LDAP server

The other poster was mistaken. Since I wrote the LDAP Bind code that Heimdal
uses, I can answer definitively.

The fact that your slapd and your ldapsearch use different default paths for
an unqualified ldapi:// URL indicates that they are not linked against the
same installation of libldap. You'll need to recompile or relink Heimdal
and/or OpenLDAP to correct the situation, as the Heimdal code does not allow
you to reconfigure its LDAP URL at runtime.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: Lara Adianto [mailto:m1r4cle_26@yahoo.com]

> I'm confused now...
> I've posted a question 'which mechanism is used to
> store the principals' credentials in ldap backend' on
> this mailing list a few days ago (see the excerpts of
> the discussion below). And from the discussion, I
> concluded that it's simple bind.
>
> Or maybe I misunderstood what Gemes Geza means. Maybe
> the storing is done with SASL/EXTERNAL mech while
> searching is done using simple bind ?
>
> Anyway, init the database using kadmin still results
> in
> kadmin: kadm5_create_principal: ldap_add_s: Can't
> contact LDAP server.
> # kadmin -l
> kadmin> init LARAS.COM
> Realm max ticket life [unlimited]:
> Realm max renewable ticket life [unlimited]:
> kadmin: kadm5_create_principal: ldap_add_s: Can't
> contact LDAP server
>
> -lara-
>
> Below is the excerpt of the mail:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Lara Adianto mrta:
> | Hi Geza,
> |
> | Will it work in Linux platform as well ?
> | I have read the HOWTO on the link you provided
> actually.
> | But it doesn't really satisfy me :-)
> |
> | kdc#* ldapsearch -L -h localhost -D cn=manager \**
> |  -w secret** -b ou=KerberosPrincipals,dc=padl,dc=com
> \
> |  'objectclass=krb5KDCEntry'*
> |
> | Does it mean that we MUST use simple bind ?
>
> Yes, but it is over a 700 mode uid 0 and gid 0 socket
> file , so it is
> not less secure, than accessing a root owned file
> based kerberos
> database. Anyway kerberos is a protocol designed to
> solve the problem of
> some secure hosts connected by an insecure network. So
> if your KDC
> machine gets compromised anything is lost no mather if
> you are using
> LDAP or not.
>
> | Thank you,
> | lara
> | */Gimes_Giza <geza@kzsdabas.sulinet.hu>/* wrote:
> |
> | Lara Adianto mrta:
> | | Hi,
> | |
> | | This is probably a basic question but well, I
> haven't
> | | got any satisfactory information on the net, so I
> post
> | | it anyway here.
> | |
> | | I read somewhere in the net that using ldap as the
> | | backend of heimdal might degrade the security
> feature
> | | of kerberos. Is this right ? If yes, then in which
> | | situation will we prefer to use ldap backend
> instead
> | | of the local dbase ?
> | |
> | | Using ldap as the heimdal's backend, how would the
> | | search be conducted through ldap ? With simple
> bind ?
> | | SASL mechanism ?
> | |
> | With proper access control lists defined in ldap
> configuration the risk
> | is minimal. The LDAP connection is realized over a
> UNIX domain socket,
> | so Heimdal and LDAP server must run on the same
> host.
> | Recomended reading:
> | http://www.padl.com/Research/Heimdal.html
>
>
> Cheers,
>
> Geza
> --- Howard Chu <hyc@highlandsun.com> wrote:
> > Exactly.
> >
> >   -- Howard Chu
> >   Chief Architect, Symas Corp.       Director,
> > Highland Sun
> >   http://www.symas.com
> > http://highlandsun.com/hyc
> >   Symas: Premier OpenSource Development and Support
> >
> > > -----Original Message-----
> > > From: Lara Adianto [mailto:m1r4cle_26@yahoo.com]
> > > Sent: Friday, April 09, 2004 8:46 PM
> > > To: Howard Chu
> > > Subject: RE: kadmin: kadm5_create_principa:
> > ldap_add_s: Can't contact
> > > LDAP server
> > >
> > >
> > > Hi Howard,
> > >
> > > >Furthermore, Heimdal's hdb-ldap backend uses
> > > >SASL/EXTERNAL so you must be able to verify this
> > > >method using ldapsearch if you want hdb-ldap to
> > > >work.
> > >
> > > Does this mean that storing the principal's
> > > credentials in LDAP backend is done by using
> > > SASL/EXTERNAL and not using simple bind ?
> > >
> > > -lara-
> > >
> > > --- Howard Chu <hyc@highlandsun.com> wrote:
> > > > > -----Original Message-----
> > > > > From: owner-heimdal-discuss@sics.se
> > > > > [mailto:owner-heimdal-discuss@sics.se]On
> > Behalf Of
> > > > Gimes Giza
> > > >
> > > > > Recent openldap client software wants to auth
> > by
> > > > sasl by
> > > > > default. Please disble it specifying the -x
> > flag.
> > > > >
> > > > > ldapsearch -H 'ldapi:///' -x
> > > >
> > > > No.
> > > >
> > > > Changing the Bind method will not affect an
> > "Unable
> > > > to contact the server"
> > > > error. Obviously if the client cannot connect,
> > then
> > > > its choice of Bind method
> > > > is irrelevant.
> > > >
> > > > Furthermore, Heimdal's hdb-ldap backend uses
> > > > SASL/EXTERNAL so you must be
> > > > able to verify this method using ldapsearch if
> > you
> > > > want hdb-ldap to work.
> > > >
> > > >   -- Howard Chu
> > > >   Chief Architect, Symas Corp.       Director,
> > > > Highland Sun
> > > >   http://www.symas.com
> > > > http://highlandsun.com/hyc
> > > >   Symas: Premier OpenSource Development and
> > Support