Date: Thu, 30 Oct 2014 10:46:39 +0100 From: "O. Hartmann" <ohartman@zedat.fu-berlin.de> To: =?ISO-8859-1?Q?L=E9vai_L=E1szl=F3?= <laszlo.lev.levai@gmail.com> Cc: freebsd-current@freebsd.org, =?ISO-8859-1?Q?Mika=EBl?= Urankar <mikael.urankar@gmail.com> Subject: Re: Heimdal with OpenLDAP backend: Cannot open /usr/lib/hdb_ldap.so Message-ID: <20141030104639.49a11c14@prometheus> In-Reply-To: <5451FE9B.9000301@gmail.com> References: <20141030092039.47802349@prometheus> <5451F865.4040004@gmail.com> <20141030094749.101ca5f5@prometheus> <5451FE9B.9000301@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 30 Oct 2014 10:02:19 +0100 L=E9vai L=E1szl=F3 <laszlo.lev.levai@gmail.com> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 >=20 >=20 >=20 > 2014-10-30 09:47 keltez=E9ssel, O. Hartmann =EDrta: > > On Thu, 30 Oct 2014 09:35:49 +0100 L=E9vai L=E1szl=F3 > > <laszlo.lev.levai@gmail.com> wrote: > >=20 > > Hi, try this: > >=20 > > [1] kill all kerberos process [2] to start KDC: > > /usr/local/libexec/kdc --detach [3] /usr/local/sbin/kadmin -l=20 > > kadmin> list -l * [...] > >=20 > > Principal: krbtgt/... Principal expires: never Password expires: > > never Last password change: never Max ticket life: unlimited Max > > renewable life: unlimited Kvno: 1 Mkvno: unknown Last successful > > login: never Last failed login: never Failed login count: 0 Last > > modified: 2014-10-28 11:44:00 UTC Modifier: unknown Attributes:=20 > > Keytypes: aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), > > arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases: > >=20 > > Principal: kadmin/changepw@... Principal expires: never Password > > expires: never Last password change: never Max ticket life: 5 > > minutes Max renewable life: 5 minutes Kvno: 1 Mkvno: unknown Last > > successful login: never Last failed login: never Failed login > > count: 0 Last modified: 2014-10-28 11:44:00 UTC Modifier: unknown=20 > > Attributes: pwchange-service, requires-pre-auth,=20 > > disallow-proxiable, disallow-renewable, disallow-tgt-based,=20 > > disallow-postdated Keytypes: aes256-cts-hmac-sha1-96(pw-salt),=20 > > des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) PK-INIT ACL:=20 > > Aliases: > >=20 > > Principal: kadmin/admin@... Principal expires: never Password > > expires: never Last password change: never Max ticket life: 1 hour=20 > > Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last successful > > login: never Last failed login: never Failed login count: 0 Last > > modified: 2014-10-28 11:44:00 UTC Modifier: unknown Attributes: > > requires-pre-auth Keytypes: aes256-cts-hmac-sha1-96(pw-salt),=20 > > des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) PK-INIT ACL:=20 > > Aliases: > >=20 > > Principal: changepw/kerberos@... Principal expires: never Password > > expires: never Last password change: never Max ticket life: 1 hour=20 > > Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last successful > > login: never Last failed login: never Failed login count: 0 Last > > modified: 2014-10-28 11:44:01 UTC Modifier: unknown Attributes: > > pwchange-service, disallow-tgt-based Keytypes: > > aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), > > arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases: > >=20 > > Principal: kadmin/hprop@... Principal expires: never Password > > expires: never Last password change: never Max ticket life: 1 hour=20 > > Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last successful > > login: never Last failed login: never Failed login count: 0 Last > > modified: 2014-10-28 11:44:01 UTC Modifier: unknown Attributes: > > requires-pre-auth, disallow-tgt-based Keytypes: > > aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), > > arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases: > >=20 > > Principal: WELLKNOWN/ANONYMOUS@... Principal expires: never=20 > > Password expires: never Last password change: never Max ticket > > life: 1 hour Max renewable life: 1 hour Kvno: 1 Mkvno: unknown Last > > successful login: never Last failed login: never Failed login > > count: 0 Last modified: 2014-10-28 11:44:01 UTC Modifier: unknown=20 > > Attributes: requires-pre-auth Keytypes: > > aes256-cts-hmac-sha1-96(pw-salt), des3-cbc-sha1(pw-salt), > > arcfour-hmac-md5(pw-salt) PK-INIT ACL: Aliases: > >=20 > > Principal: default@... Principal expires: never Password expires: > > never Last password change: never Max ticket life: 1 day Max > > renewable life: 1 week Kvno: 1 Mkvno: unknown Last successful > > login: never Last failed login: never Failed login count: 0 Last > > modified: 2014-10-28 11:44:01 UTC Modifier: unknown Attributes: > > disallow-all-tix Keytypes: aes256-cts-hmac-sha1-96(pw-salt),=20 > > des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt) PK-INIT ACL:=20 > > Aliases: [...] > >=20 > >> Hello. > >=20 > >> This seems not to be the base system's Heimdal since you use > >> /usr/local as prefix! > >=20 >=20 > The base system's Heimdal with OpenLDAP backend not worked form me. So > I installed the security/heimdal port and OpenLDAP24 server. >=20 > root@lea:~ # /usr/local/libexec/slapd -VV > @(#) $OpenLDAP: slapd 2.4.40 (Oct 17 2014 16:17:52) $ > root@lea...:/usr/ports/net/openldap24-server/work/openldap-2.4.40/server= s/slapd >=20 >=20 > root@lea:~ # /usr/local/libexec/kdc --version > kdc (Heimdal 1.5.2) > Copyright 1995-2011 Kungliga Tekniska H=F6gskolan > Send bug-reports to heimdal-bugs@h5l.org >=20 >=20 > root@lea:~ # /usr/local/libexec/kdc --builtin-hdb > builtin hdb backends: ndbm:, keytab:, ldap:, ldapi:, sqlite: >=20 > oterwise the system kdc: > root@lea:~ # /usr/libexec/kdc --builtin-hdb > builtin hdb backends: db:, mit-db:, ndbm:, keytab:, sqlite: >=20 >=20 > >> What is your database/storage backend for your Heimdal > >> installation? Is it OpenLDAP? > >=20 > >> Tnak you very much in advance, > >=20 > >> Oliver > >=20 > >=20 > >=20 > > 2014-10-30 09:20 keltez=E9ssel, O. Hartmann =EDrta: > >>>> On CURRENT (FreeBSD 11.0-CURRENT #0 r273810: Wed Oct 29 > >>>> 07:52:22 CET 2014 amd64) a running net/openldap24-sasl-server > >>>> system is installed and running and is now about to be the > >>>> database backend for Kerberos/Heimdal. > >>>> net/openldap24-sasl-server is at=20 > >>>> openldap-sasl-server-2.4.40. > >>>>=20 > >>>> The database storage scheme of the LDAP backend is MDB, as it > >>>> is highly recommended by the vendors of OpenLDAP. > >>>>=20 > >>>> Searching for suitable manuals, I found some HowTos > >>>> describing how to setup MIT Kerberos V with an OpenLDAP > >>>> backend and I started following the instructions there. > >>>> Despite the fact that http://www.h5l.org/manual is dead(!) > >>>> and no usefull documentation or any kind of a hint where to > >>>> find useful documentation for Heimdal can be found, many of > >>>> the MIT Kerberos V setup instructions seem to be a dead end > >>>> when using Heimdal on FreeBSD. Most of the links on that > >>>> heimdal site ends up in ERROR 404! > >>>>=20 > >>>> Well, I think my objective isn't that exotic in an more > >>>> advanced server environment and I think since FreeBSD is > >>>> supposed to be used in advanced server environments this task > >>>> should be well known - but little information/documentation > >>>> is available. > >>>>=20 > >>>> Nevertheless, I use the base system's heimdal implementation > >>>> and I run into a very frustrating error when trying to run > >>>> "kamdin -l": > >>>>=20 > >>>> kadmin: error trying to load dynamic module > >>>> /usr/lib/hdb_ldap.so: Cannot open "/usr/lib/hdb_ldap.so" > >>>>=20 > >>>> The setup for the stanza [kdc] is > >>>>=20 > >>>> [...] [kdc] database =3D {=20 > >>>> dbname=3Dldap:ou=3Dkerberos,dc=3Dserver,dc=3Dgdr=20 > >>>> #hdb-ldap-structural-object =3D inetOrgPerson mkey_file =3D=20 > >>>> /var/heimdal/m-key acl_file =3D /var/heimdal/kadmind.acl } > >>>>=20 > >>>> instructions taken from=20 > >>>> http://www.padl.com/Research/Heimdal.html. > >>>>=20 > >>>> Well, it seems that FreeBSD ships with a crippled heimdal=20 > >>>> implementation. Where is /usr/lib/hdb_ldap.so? > >>>>=20 > >>>> I'm toying around this issue for several days now and it gets > >>>> more and more frustrating, also with the perspective of > >>>> having no running samba 4.1 server for the windows domain. > >>>>=20 > >>>> Can someone give me a hint where to find suitable FreeBSD > >>>> docs for a task like this? I guess since FreeBSD is > >>>> considered a server OS more than a desktop/toy OS, there must > >>>> be a solution for this. FreeBSD ships with heimdal in the > >>>> base, but it seems this heimdal is broken. > >>>>=20 > >>>> P.S. Please CC me. > >>>> _______________________________________________=20 > >>>> freebsd-current@freebsd.org mailing list=20 > >>>> http://lists.freebsd.org/mailman/listinfo/freebsd-current To=20 > >>>> unsubscribe, send any mail to=20 > >>>> "freebsd-current-unsubscribe@freebsd.org" [...] Yes, the base system is only a crippled version and I guess it is due to the fact that OpenLDAP is also NOT part of the base and the libraries/headers necessary to built the LDAP support in the base systems's heimdal are missing. The lack of documentation is simply a mess. I excluded by intention the port security/heimdal to proof whether FreeBSD is capable of handling a common and very usual server task like the mentioned scenario. I overcame this problem by installing the port security/heimdal, but now I run into the next problem which is highly intransparent: kadmin> init MY.REALM kadmin: hdb_open: ldap_sasl_bind_s: Confidentiality required My LDAP server expects TLS authentication. I would expect a LDAP aware client to llok for the proper informations at /usr/local/openldap/ldap.conf. Obviously, Heimdal doesn't. Is there anything I've missed? Since I can not find any suitable documentation (www.h5l.org/manual is dead!), I'm floating dead in the water. I found several HowTo manuals, but the most sophistaceted referes to MIT Kerberos 5 as mentioned earlier and can be found here: http://www.math.ucla.edu/~jimc/documents/ldap/kerberos-ldap-1202.html But this manual seems to be unapplicable to Heimdal. But without docs it is hard to impossible (in a reasonable timeframe for productive use) to figure that out. Anyway, if there is some hint, I would appreciate it. Thanks in advance, Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20141030104639.49a11c14>