From owner-freebsd-stable@FreeBSD.ORG Wed Jun 1 18:19:32 2005 Return-Path: X-Original-To: freebsd-stable@FreeBSD.org Delivered-To: freebsd-stable@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D5C9816A424; Wed, 1 Jun 2005 18:19:32 +0000 (GMT) (envelope-from bsam@bsam.ru) Received: from bsam.ru (gw.ipt.ru [80.253.10.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5082443D5C; Wed, 1 Jun 2005 18:19:29 +0000 (GMT) (envelope-from bsam@bsam.ru) Received: from bsam by bsam.ru with local (Exim 4.30; FreeBSD) id 1DdXpL-000DYT-Kh; Wed, 01 Jun 2005 22:20:27 +0400 To: fandino@ng.fadesa.es References: <429D8B3B.50203@ng.fadesa.es> <29469499@srv.sem.ipt.ru> <429DE188.5020908@ng.fadesa.es> From: Boris Samorodov Date: Wed, 01 Jun 2005 22:20:27 +0400 In-Reply-To: <429DE188.5020908@ng.fadesa.es> (fandino@ng.fadesa.es's message of "Wed, 01 Jun 2005 18:25:44 +0200") Message-ID: <09783236@srv.sem.ipt.ru> User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.0.50 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: "Boris B. Samorodov" Cc: freebsd-stable@FreeBSD.org, freebsd-ports@FreeBSD.org Subject: Re: kadmin (heimdal port) ignores the ldap backend X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2005 18:19:33 -0000 On Wed, 01 Jun 2005 18:25:44 +0200 fandino wrote: > Boris Samorodov wrote: > > On Wed, 01 Jun 2005 12:17:31 +0200 fandino wrote: > >> I'm testing a new configuration with heimdal and the ldap backend > >>but kadmin is completely ignoring the ldap directive in the dbname > >>definition. > ... > >>when the realm is initied kadmin creates a couple of files with the literal > >>dbname definition (adding ldap: as filename prefix) instead of contacting > >>the openldap server. > > > >># /usr/local/sbin/kadmin -l > >>kadmin> init OLIMPUS > >>Realm max ticket life [unlimited]: > >>Realm max renewable ticket life [unlimited]: > >># ls -l > >>... > >>-rw------- 1 root wheel 32768 May 31 10:19 ldap:ou=gods,dc=olimpus.db > >>-rw------- 1 root wheel 7584 May 31 10:19 ldap:ou=gods,dc=olimpus.log > >>... > >>anyone knows what I'm missing? > > What version of FreeBSD do you have? 5.4-RELEASE has heimdal 0.6.3 > > at > > the base system. > I'm using 5.4-RELEASE. > > Do you build FreeBSD with Kerberos support? There may be system > Yes, it was builded with Kerberos(0.6.3) and the heimdal port Aha, thus you install system libraries to /usr/lib etc... > (0.6.3) was also installed in order to get ldap support for ...and those libraries from the port install to /usr/local/lib... > kerberos without getting messed with the system kerberos. ...and finally get it messed. > > libraries located earlier in LDD_PATH which kadmin uses. Try ktrace > > and kdump to see which libraries are used at run-time. > you have found something interesting, this strace[1] shows us > that /usr/local/sbin/kadmin (the port kadmin binary) is using > "/usr/local/lib/libkadm5clnt.so.6" and "/usr/lib/libkadm5srv.so.7" > could libkadm5srv be the culprit (now I haven't access to this box)? I think this is the point. > how I can force /usr/local/sbin/kadmin to use the port library > and not the system library? 1. The main idea is to force search at /usr/local/lib before /usr/lib. a) you may set LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH at your system default profile; (but may be some other progs got to be mulfunctioning); b) you may write script like: --- kadmin.sh --- #!/bin/sh LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH; export LD_LIBRARY_PATH kadmin %1 %2 %3 ----------------- Maybe it's a better solution. 2. Set HEIMDAL_HOME=/usr at /etc/make.conf. So the local_base for the port is /usr. But then you won't get installed some docs (and maybe some more files). (Hey, is port broken?) Yes, this will replace your system files. But there won't be a mess. ;-) And, yes, you'll have to reinstall the port after system upgrade. Hence, all versions are rather more a hack then even a workaround, not to say a solution. I don't know any good solution. System files are installed to /usr. Many programs use those libraries. One need to install a version from ports. Those libraries are installed to /usr/local. But then one'll want to use ssh (linked to the system library) to authenticate somebody via LDAP/Kerberos... Who can give us a good solution? PS. CC:freebsd-stable@ seems to be the right thing. WBR -- bsam