[19968] in Kerberos_V5_Development
MIT Kerberos and OpenLDAP
daemon@ATHENA.MIT.EDU (=?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F)
Sun Sep 1 06:22:38 2019
Message-ID: <3546b20a3d536a146264d4f140fcb3a95255ccd2.camel@aegee.org>
From: =?UTF-8?Q?=D0=94=D0=B8=D0=BB=D1=8F=D0=BD_?=
=?UTF-8?Q?=D0=9F=D0=B0=D0=BB=D0=B0=D1=83=D0=B7=D0=BE=D0=B2?=
<dilyan.palauzov@aegee.org>
To: krbdev <krbdev@mit.edu>
Date: Sun, 01 Sep 2019 10:22:20 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hello,
• in the 1.17 distribution doc/admin/advanced/ldapbackend.rst file, and the latest version in git, contains “This should
in a new file named kerberos.ldif”. Some rewording will be good.
• The files admin/advanced/ldapbackend.rst and and admin/conf_ldap.rst propose two different ways to include the
kerberos schema. Both files stick to OpenLDAP as LDAP server.
- ldapbackend.rst, suggests creating a temporary file for the schema, /tmp/schema_convert.conf, that is then passed as
input to slaptest and the output of slaptest can then be included with ldapadd.
- In conf_ldap.rst the instruction is to "include /etc/openldap/schema/kerberos.schema" in slapd.conf.
Including kerberos.schema directly in slapd.conf does not work. I create an input.ldif file with
include: file:///src/krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
and then call
slapadd -n0 -F /tmp/A -l /home/openldap/etc/openldap.bak/input.ldif -v
to create the initial configuration in /tmp/A . The output of slapadd is:
added: "cn=config" (00000001)
added: "cn=module{0},cn=config" (00000001)
added: "olcDatabase={-1}frontend,cn=config" (00000001)
added: "cn=schema,cn=config" (00000001)
added: "cn={0}core,cn=schema,cn=config" (00000001)
added: "cn={1}cosine,cn=schema,cn=config" (00000001)
added: "cn={2}inetorgperson,cn=schema,cn=config" (00000001)
added: "cn={3}nis,cn=schema,cn=config" (00000001)
5d6b958b str2entry: entry -1 has no dn
slapadd: could not parse entry (line=1019)
_########## 51.88% eta none elapsed none spd 463.2 k/s
Closing DB...
The openldap distribution contains the files cosine.ldif and cosine.schema. The kerberos distribution contains the
files kerberos.schema, kerberos.ldif and kerberos.openldap.ldif .
‘include: cosine.ldif’ does work: the attributes are preceded with “dn: cn=cosine,cn=schema,cn=config” and there are no
spaces between the attribute definitions. In the files cosine.schema, kerberos.schema there are no dn: definitions.
How is then “include kerberos.schema” supposed to work?
• admin/conf_ldap.html proposes these access rigths:
access to attrs=userPassword,userPKCS12
by self write
by * auth
Providing that MIT Kerberos does nothing with these attributes, why is this recommendation here?
• Some time passed, since I learnt the details of Kerberos V. Is there any way that MIT Kerberos withLDAP can use the
user passwords stored in inetorgperson:userPassword attribute, instead from the krbPrincipalKey: attribute? The use
case is to reuse an existing infrastructure, where passwords are already hashed in userPassword.
Greetings
Дилян
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
