[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite

To: openldap-technical@openldap.org
Subject: Re: OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite
From: Allan <cr4z3d@gmail.com>
Date: Tue, 11 Aug 2009 21:31:59 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :from:date:message-id:subject:to:content-type; bh=OwTxD01ghAijNO+P96SqfPbsZ/SzvabqTUHCzYH0LLM=; b=CQ3j666rEy2PvixehxP0o1GFRHAw5mMQLMK0oNd9ADhYLQg11P3WLjeKu04rggClE5 hbwDMnHnkGkytT5BgJbMn72/NylOYrorUJaMKZCEoR3FQpk7+cowOj/RvlhJ4W0QH7Ts cDwxlpldv+jN/7u5UYyvCXcKci8n7808VStK4=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; b=vG/XVq85mCi7nQ2XWQ8hMU0k/7olUO3QbnRwWSMhIOUamxjA45sCBPufJZEaX4vQl7 GuyWJkLc8F/VkbpCOrYv9ap5GT4/vf2cNRk6wmhc76tK/cMRMVLkXfcazh0aq6MLl/J9 By2quSw3+KOglpesGuFgUjCOei9Jlerg7Orrs=
In-reply-to: <4A81D7D3.60901@symas.com>
References: <1401255544-1249910948-cardhu_decombobulator_blackberry.rim.net-1991802318-@bxe1148.bisx.prod.on.blackberry> <358c9f370908101356h39ab7a12l5fe054f910ccb5db@mail.gmail.com> <87ws5btl2n.fsf@rubin.avci.de> <358c9f370908102112u3424bae5x4bb1a75309cd7a1a@mail.gmail.com> <87ljlqzlc8.fsf@rubin.avci.de> <358c9f370908110626r41344c36if36c0e1715d34953@mail.gmail.com> <87d472zcns.fsf@rubin.avci.de> <4A81D7D3.60901@symas.com>

I have both those files, however, not sure if the permissions are set correctly:

frisbee# ls -l /etc/krb5*
-rw-r--r-- 1 root wheel 128 Aug 7 14:09 /etc/krb5.conf
-rw------- 1 root wheel 286 Aug 7 16:01 /etc/krb5.keytab

As far as the keytab files goes, I used this to create it:

frisbee# kadmin -l
kadmin> ext ldap/frisbee.crazy.lan
kadmin> exit

Just to clarify, ldap and kerberos are running on the same machine (frisbee.crazy.lan).

Also here's the contents of krb5.conf just to catch any errors you may find:

frisbee# cat /etc/krb5.conf
[libdefaults]
    default_realm = CRAZY.LAN

[logging]
    kdc = 0/FILE:/var/log/kdc.log
    kdc = 1-/SYSLOG:INFO:USER
    default = STDERR

I have the proper DNS settings for kerberos, here's my BIND setup:

frisbee        IN    A    192.168.1.5
_kerberos._udp    IN    SRV    01 00 88 frisbee.crazy.lan.
_kerberos._tcp     IN    SRV    01 00 88 frisbee.crazy.lan.
_kpasswd._udp    IN    SRV    01 00 464 frisbee.crazy.lan.
_kerberos-adm._tcp IN    SRV    01 00 749 frisbee.crazy.lan.
_kerberos    IN    TXT    CRAZY.LAN

On Tue, Aug 11, 2009 at 4:42 PM, Howard Chu <hyc@symas.com> wrote:

Dieter Kluenter wrote:

Allan<cr4z3d@gmail.com> writes:

Seems like slapd is linked to gssapi and sasl. Are there simply command line
options I'm missing to start up slapd?

frisbee# ldd /usr/local/libexec/slapd
/usr/local/libexec/slapd:
libldap_r-2.4.so.6 => /usr/local/lib/libldap_r-2.4.so.6 (0x2820b000)
liblber-2.4.so.6 => /usr/local/lib/liblber-2.4.so.6 (0x28250000)
libdb-4.6.so.0 => /usr/local/lib/libdb-4.6.so.0 (0x2825d000)
libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28385000)
libgssapi.so.9 => /usr/lib/libgssapi.so.9 (0x2839c000)

This seem to be different libraries than the sasl libraries, as below:

/usr/local/lib/sasl2/libgssapiv2.a
/usr/local/lib/sasl2/libgssapiv2.la
/usr/local/lib/sasl2/libgssapiv2.so
/usr/local/lib/sasl2/libgssapiv2.so.2

These usually are dynamically loaded by libsasl2, so they would never be directly linked into the slapd (or any other) binaries.

Most likely the gssapi plugin is not initializing itself, maybe because there is no krb5.conf file, or because there is no keytab with slapd's key inside, or the files are not readable by slapd, etc...

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

Follow-Ups:
- Re: OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- Re: OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite
  - From: Allan <cr4z3d@gmail.com>
- Re: OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite
  - From: Allan <cr4z3d@gmail.com>
- Re: OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite
  - From: Allan <cr4z3d@gmail.com>
- Re: OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite
  - From: Howard Chu <hyc@symas.com>

Prev by Date: OpenLDAP Virtual File System
Next by Date: Re: OpenLDAP Virtual File System
Index(es):
- Chronological
- Thread