Hello everybody, With the help of Howard Chu and some other people in this mailing list, I managed to build and configure openLDAP as the backend of Heimdal Kerberos, tested the authentication of W2K client to the Heimdal Kerberos KDC and cross-realm authentication. Though it works, there are still some doubts about how it actually works and hopefully with the help of this mailing list, I can get a better understanding of what is actually happening: 1. One of the problem I found during the setup was the failure of heimdal to contact slapd. After doing 'ldd', I found out that heimdal was pointing to a wrong liblber and libldap. It was using libldap and liblber in /usr/local/lib, which are obsoletes. I have fed the following options: --with-openldap = /usr/local (the location of my openldap installation) --with-openldap-lib = /usr/lib (where the right liblber and libldap resides) During make install, it seems to point at /usr/lib, but unfortunataly ldd kdc still says that liblber and libldap are using libraries in /usr/local/lib and hence heimdal can't contact openldap. I finally created the symbolic links manually for libldap and liblber to point to the right libraries. This doesn't seem right to me.... Any comments guys ? 2. I used a patch for hdb-ldap.c from Alberto Patino given in the following link: http://www.stacken.kth.se/lists/heimdal-discuss/2003-05/msg00040.html for SASL/EXTERNAL call to the local IPC LDAPI interface: [root@myserver heimdal-0.6]# patch -p1 < /usr/local/hdbfix.diff patching file lib/hdb/hdb-ldap.c patch unexpectedly ends in middle of line Hunk #4 succeeded at 1118 with fuzz 1. [root@myserver heimdal-0.6]# This is the first time I saw a patching result like the above. Did the above mean everything is allright or something is wrong ? 3. Again about the usage of SASL/EXTERNAL mechanism in retrieving the principal's credentials: shell% ldapsearch -Y EXTERNAL -ZZ -b ou=KPrincipals,dc=laras,dc=com 'objectclass=krb5KDCEntry'
shell% ldapsearch -x -L -h localhost -D cn=Manager,dc=laras,dc=com -w secret -b ou=KPrincipals,dc=laras,dc=com
Both ways (using simple bind and SASL/EXTERNAL) work. So, SASL/EXTERNAL is not mandatory ?
4. Is there any good documentation / howto on how to ensure the security of ldap backend ? any guidance on how to set the authorization ?
Thanks in advance,