Re: Heimdal with OpenLDAP backend: Cannot open /usr/lib/hdb_ldap.so

From: Lévai László <laszlo.lev.levai_at_gmail.com>
Date: Thu, 30 Oct 2014 10:02:19 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



2014-10-30 09:47 keltezéssel, O. Hartmann írta:
> On Thu, 30 Oct 2014 09:35:49 +0100 Lévai László
> <laszlo.lev.levai_at_gmail.com> wrote:
> 
> Hi, try this:
> 
> [1] kill all kerberos process [2] to start KDC:
> /usr/local/libexec/kdc --detach [3] /usr/local/sbin/kadmin -l 
> kadmin> list -l * [...]
> 
> Principal: krbtgt/... Principal expires: never Password expires:
> never Last password change: never Max ticket life: unlimited Max
> renewable life: unlimited Kvno: 1 Mkvno: unknown Last successful
> login: never Last failed login: never Failed login count: 0 Last
> modified: 2014-10-28 11:44:00 UTC Modifier: unknown Attributes: 
> Keytypes: aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt),
> arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases:
> 
> Principal: kadmin/changepw_at_... Principal expires: never Password
> expires: never Last password change: never Max ticket life: 5
> minutes Max renewable life: 5 minutes Kvno: 1 Mkvno: unknown Last
> successful login: never Last failed login: never Failed login
> count: 0 Last modified: 2014-10-28 11:44:00 UTC Modifier: unknown 
> Attributes: pwchange-service, requires-pre-auth, 
> disallow-proxiable, disallow-renewable, disallow-tgt-based, 
> disallow-postdated Keytypes: aes256-cts-hmac-sha1-96(pw-salt), 
> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) PK-INIT ACL: 
> Aliases:
> 
> Principal: kadmin/admin_at_... Principal expires: never Password
> expires: never Last password change: never Max ticket life: 1 hour 
> Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last successful
> login: never Last failed login: never Failed login count: 0 Last
> modified: 2014-10-28 11:44:00 UTC Modifier: unknown Attributes:
> requires-pre-auth Keytypes: aes256-cts-hmac-sha1-96(pw-salt), 
> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) PK-INIT ACL: 
> Aliases:
> 
> Principal: changepw/kerberos_at_... Principal expires: never Password
> expires: never Last password change: never Max ticket life: 1 hour 
> Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last successful
> login: never Last failed login: never Failed login count: 0 Last
> modified: 2014-10-28 11:44:01 UTC Modifier: unknown Attributes:
> pwchange-service, disallow-tgt-based Keytypes:
> aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt),
> arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases:
> 
> Principal: kadmin/hprop_at_... Principal expires: never Password
> expires: never Last password change: never Max ticket life: 1 hour 
> Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last successful
> login: never Last failed login: never Failed login count: 0 Last
> modified: 2014-10-28 11:44:01 UTC Modifier: unknown Attributes:
> requires-pre-auth, disallow-tgt-based Keytypes:
> aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt),
> arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases:
> 
> Principal: WELLKNOWN/ANONYMOUS_at_... Principal expires: never 
> Password expires: never Last password change: never Max ticket
> life: 1 hour Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last
> successful login: never Last failed login: never Failed login
> count: 0 Last modified: 2014-10-28 11:44:01 UTC Modifier: unknown 
> Attributes: requires-pre-auth Keytypes:
> aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt),
> arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases:
> 
> Principal: default_at_... Principal expires: never Password expires:
> never Last password change: never Max ticket life: 1 day Max
> renewable life: 1 week Kvno: 1 Mkvno: unknown Last successful
> login: never Last failed login: never Failed login count: 0 Last
> modified: 2014-10-28 11:44:01 UTC Modifier: unknown Attributes:
> disallow-all-tix Keytypes: aes256-cts-hmac-sha1-96(pw-salt), 
> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) PK-INIT ACL: 
> Aliases: [...]
> 
>> Hello.
> 
>> This seems not to be the base system's Heimdal since you use
>> /usr/local as prefix!
> 

The base system's Heimdal with OpenLDAP backend not worked form me. So
I installed the security/heimdal port and OpenLDAP24 server.

root_at_lea:~ # /usr/local/libexec/slapd -VV
_at_(#) $OpenLDAP: slapd 2.4.40 (Oct 17 2014 16:17:52) $
	root_at_lea...:/usr/ports/net/openldap24-server/work/openldap-2.4.40/servers/slapd


root_at_lea:~ # /usr/local/libexec/kdc --version
kdc (Heimdal 1.5.2)
Copyright 1995-2011 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs_at_h5l.org


root_at_lea:~ # /usr/local/libexec/kdc --builtin-hdb
builtin hdb backends: ndbm:, keytab:, ldap:, ldapi:, sqlite:

oterwise the system kdc:
root_at_lea:~ # /usr/libexec/kdc --builtin-hdb
builtin hdb backends: db:, mit-db:, ndbm:, keytab:, sqlite:


>> What is your database/storage backend for your Heimdal
>> installation? Is  it OpenLDAP?
> 
>> Tnak you very much in advance,
> 
>> Oliver
> 
> 
> 
> 2014-10-30 09:20 keltezéssel, O. Hartmann írta:
>>>> On CURRENT (FreeBSD 11.0-CURRENT #0 r273810: Wed Oct 29
>>>> 07:52:22 CET 2014 amd64) a running net/openldap24-sasl-server
>>>> system is installed and running and is now about to be the
>>>> database backend for Kerberos/Heimdal.
>>>> net/openldap24-sasl-server is at 
>>>> openldap-sasl-server-2.4.40.
>>>> 
>>>> The database storage scheme of the LDAP backend is MDB, as it
>>>> is highly recommended by the vendors of OpenLDAP.
>>>> 
>>>> Searching for suitable manuals, I found some HowTos
>>>> describing how to setup MIT Kerberos V with an OpenLDAP
>>>> backend and I started following the instructions there.
>>>> Despite the fact that http://www.h5l.org/manual is dead(!)
>>>> and no usefull documentation or any kind of a hint where to
>>>> find useful documentation for Heimdal can be found, many of
>>>> the MIT Kerberos V setup instructions seem to be a dead end
>>>> when using Heimdal on FreeBSD. Most of the links on that
>>>> heimdal site ends up in ERROR 404!
>>>> 
>>>> Well, I think my objective isn't that exotic in an more
>>>> advanced server environment and I think since FreeBSD is
>>>> supposed to be used in advanced server environments this task
>>>> should be well known - but little information/documentation
>>>> is available.
>>>> 
>>>> Nevertheless, I use the base system's heimdal implementation
>>>> and I run into a very frustrating error when trying to run
>>>> "kamdin -l":
>>>> 
>>>> kadmin: error trying to load dynamic module
>>>> /usr/lib/hdb_ldap.so: Cannot open "/usr/lib/hdb_ldap.so"
>>>> 
>>>> The setup for the stanza [kdc] is
>>>> 
>>>> [...] [kdc] database =    { 
>>>> dbname=ldap:ou=kerberos,dc=server,dc=gdr 
>>>> #hdb-ldap-structural-object     = inetOrgPerson mkey_file = 
>>>> /var/heimdal/m-key acl_file = /var/heimdal/kadmind.acl }
>>>> 
>>>> instructions taken from 
>>>> http://www.padl.com/Research/Heimdal.html.
>>>> 
>>>> Well, it seems that FreeBSD ships with a crippled heimdal 
>>>> implementation. Where is /usr/lib/hdb_ldap.so?
>>>> 
>>>> I'm toying around this issue for several days now and it gets
>>>> more and more frustrating, also with the perspective of
>>>> having no running samba 4.1 server for the windows domain.
>>>> 
>>>> Can someone give me a hint where to find suitable FreeBSD
>>>> docs for a task like this? I guess since FreeBSD is
>>>> considered a server OS more than a desktop/toy OS, there must
>>>> be a solution for this. FreeBSD ships with heimdal in the
>>>> base, but it seems this heimdal is broken.
>>>> 
>>>> P.S. Please CC me.
>>>> _______________________________________________ 
>>>> freebsd-current_at_freebsd.org mailing list 
>>>> http://lists.freebsd.org/mailman/listinfo/freebsd-current To 
>>>> unsubscribe, send any mail to 
>>>> "freebsd-current-unsubscribe_at_freebsd.org"
>>>> 
> 
>> _______________________________________________ 
>> freebsd-current_at_freebsd.org mailing list 
>> http://lists.freebsd.org/mailman/listinfo/freebsd-current To
>> unsubscribe, send any mail to 
>> "freebsd-current-unsubscribe_at_freebsd.org"
> 

- -- 
Tisztelettel:
Lévai László
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iF4EAREIAAYFAlRR/psACgkQtgVHtSvpUlqM0AD+Pwy6+M1eQVDoXJBqvr4tC5Ct
UYAu1NlTZzk1EQ+scrgA+QHXWl3nEj0SN3EpIghIee10dCMUmrNbIm5ga8+CpeUk
=GC3n
-----END PGP SIGNATURE-----
Received on Thu Oct 30 2014 - 08:02:23 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:53 UTC