[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Error while integrating OpenLDAP and Kerberos

Review the password stash steps used to provide the kdc/kadmin processes their password in order to bind to ldap.

Manually start the kadmind process with debugging turn on and run it in the foreground.  You will likely see where things go wrong.

Passwords may not match, the password may not be in the right file, the permissions could be off...

On Mar 19, 2015 1:54 AM, "Verónica Ovando" <vero.ovando@gmail.com> wrote:
I am trying to set up Kerberos with OpenLDAP backend. I followed this doc http://web.mit.edu/Kerberos/www/krb5-1.12/doc/admin/conf_ldap.html and this https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html#kerberos-ldap-openldap

My krb5.conf file looks like this:

    default_realm = EXAMPLE.TEST
    dns_lookup_realm = false
    dns_lookup_kdc = false
    rdns = false

    restrict_anonymous_to_tgt = true    

# The following krb5.conf variables are only for MIT Kerberos.
    krb4_config = /etc/krb.conf
    krb4_realms = /etc/krb.realms
    kdc_timesync = 1
    ccache_type = 4
    forwardable = true
    proxiable = true

# The following libdefaults parameters are only for Heimdal Kerberos.
    v4_instance_resolve = false
    v4_name_convert = {
        host = {
            rcmd = host
            ftp = ftp
        plain = {
            something = something-else
    fcc-mit-ticketflags = true

#configuracion para mi reino
        kdc = krb1.example.test:88
        kdc = krb2.example.test:88
        admin_server = krb1.example.test
        default_domain = example.test
        database_module = openldap_ldapconf

#configuracion para mi servidor
    .example.test = EXAMPLE.TEST

        ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=test

        openldap_ldapconf = {
                db_library = kldap
                ldap_kdc_dn = "cn=krbadmin,dc=example,dc=test"

                # this object needs to have read rights on
                # the realm container, principal container and realm sub-trees
        ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=test"

                # this object needs to have read and write rights on
                # the realm container, principal container and realm sub-trees
                ldap_service_password_file = /etc/krb5kdc/service.keyfile
                ldap_servers = ldap://
                ldap_conns_per_server = 5

#   krb4_convert = true
#   krb4_get_tickets = false

    kdc = FILE:/var/log/kerberos/krb5kdc.log
    admin_server = FILE:/var/log/kerberos/kadmin.log
    default = FILE:/var/log/kerberos/krb5lib.log

I added the krbPrincipalName index:

dn: olcDatabase={1}hdb,cn=config
add: olcDbIndex
olcDbIndex: krbPrincipalName eq,pres,sub

I gave permissions to the kadmind and krb5kdc for reading a writing in the LDAP database:

dn: olcDatabase={1}hdb,cn=config replace: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=krbadmin,dc=example,dc=com" write by anonymous auth by self write by * none
add: olcAccess olcAccess: to dn.base="" by * read
add: olcAccess olcAccess: to * by dn="cn=krbadmin,dc=example,dc=com" write by * read

When i try to restart the krb5-admin-server I get this error:

[....] Restarting Kerberos administrative servers: kadmindkadmind: Invalid credentials while initializing, aborting failed!

Any suggestion for solving this problem? I thinks there is a missing configuration on my LDAP, but I am not sure.

Thanks in advance.

Verónica Ovando