Date: Thu, 30 Oct 2014 23:39:14 +0100 From: =?UTF-8?B?TMOhc3psw7MgTMOpdmFp?= <laszlo.lev.levai@gmail.com> To: Benjamin Kaduk <kaduk@mit.edu> Cc: freebsd-current <freebsd-current@freebsd.org>, "O. Hartmann" <ohartman@zedat.fu-berlin.de> Subject: Re: Heimdal with OpenLDAP backend: Cannot open /usr/lib/hdb_ldap.so Message-ID: <CAFYdZ7iu-LNwHgsL=_dux5a0veVzdW%2Bh9QUxRLR2xfH4eEmW4A@mail.gmail.com> In-Reply-To: <alpine.GSO.1.10.1410301621550.27826@multics.mit.edu> References: <20141030092039.47802349@prometheus> <alpine.GSO.1.10.1410301621550.27826@multics.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Today afternoon I deleted the Heimdal. I will start from begining with
security/krb5 port.
2014.10.30. 21:52 ezt =C3=ADrta ("Benjamin Kaduk" <kaduk@mit.edu>):
> [stripping -questions; please don't cross-post]
>
> Disclaimer: I am part of the group that develops MIT Kerberos
>
> On Thu, 30 Oct 2014, O. Hartmann wrote:
>
> > Searching for suitable manuals, I found some HowTos describing how to
> > setup MIT Kerberos V with an OpenLDAP backend and I started following
> > the instructions there. Despite the fact that http://www.h5l.org/manual
>
> I am not sure why. I guess you already discovered this, but the MIT KDC
> and the Heimdal KDC are very different beasts to administer. The
> instructions for one have no bearing on the other.
>
> > is dead(!) and no usefull documentation or any kind of a hint where to
>
> That was reported to their mailing list independently just today
> (
> http://permalink.gmane.org/gmane.comp.encryption.kerberos.heimdal.general=
/7836
> )
>
> > find useful documentation for Heimdal can be found, many of the MIT
> > Kerberos V setup instructions seem to be a dead end when using Heimdal
> > on FreeBSD. Most of the links on that heimdal site ends up in ERROR 404=
!
> >
> > Well, I think my objective isn't that exotic in an more advanced server
> > environment and I think since FreeBSD is supposed to be used in
> > advanced server environments this task should be well known - but
> > little information/documentation is available.
>
> In my experience, most people getting into administering Kerberos KDCs do
> so by learning from someone else already doing so (usually in the same
> organization), so there are not always written documentation. In my
> (biased) opinion, the MIT documentation is pretty good; the upstream
> Heimdal documentation less so.
>
> > Nevertheless, I use the base system's heimdal implementation and I run
> > into a very frustrating error when trying to run "kamdin -l":
> >
> > kadmin: error trying to load dynamic module /usr/lib/hdb_ldap.so:
> > Cannot open "/usr/lib/hdb_ldap.so"
> >
> > The setup for the stanza [kdc] is
> >
> > [...]
> > [kdc]
> > database =3D {
> > dbname=3Dldap:ou=3Dkerberos,dc=3Dserver,dc=3Dgdr
> > #hdb-ldap-structural-object =3D inetOrgPerson
> > mkey_file =3D /var/heimdal/m-key
> > acl_file =3D /var/heimdal/kadmind.acl
> > }
> >
> > instructions taken from http://www.padl.com/Research/Heimdal.html.
> >
> > Well, it seems that FreeBSD ships with a crippled heimdal
> > implementation. Where is /usr/lib/hdb_ldap.so?
>
> You keep using this word "crippled", and I fail to understand why. It is
> functioning as intended. The FreeBSD base system ships with a limited se=
t
> of tools, which allow many common server tasks to be performed, but
> certainly not all, and are not intended to fulfil all advanced server
> setups. The bundled Heimdal is there to provide the libraries and client
> utilities, which can be indispensable in many environments, and the KDC
> implementation is included because it can be useful in simple, small
> setups. If you need a more complicated Kerberos setup, you should be
> installing a KDC from ports, or arguably even building from source! The
> KDC in base functions suitably for the role it is intended to play; that
> is hardly "crippled".
>
> You probably noted that the base system now has dma, and sendmail is on
> its way out. Sendmail is a pretty big hammer, bigger than what is needed
> for use by the base system, and dma is more appropriate. The tools in th=
e
> base system have a purpose, and they are not always suitable for
> everything in their appropriate area.
>
> > I'm toying around this issue for several days now and it gets more and
> > more frustrating, also with the perspective of having no running samba
> > 4.1 server for the windows domain.
> >
> > Can someone give me a hint where to find suitable FreeBSD docs for a
> > task like this? I guess since FreeBSD is considered a server OS more
> > than a desktop/toy OS, there must be a solution for this. FreeBSD ships
> > with heimdal in the base, but it seems this heimdal is broken.
>
> Again, don't use the heimdal from base if you need fancy features.
>
> (Are you even tied to Heimdal? If not, you already found the
> documentation for using LDAP as a backend for an MIT KDC...)
>
>
>
> From your later message:
>
> > The lack of documentation is simply a mess. I excluded by intention the
> > port security/heimdal to proof whether FreeBSD is capable of handling a
> > common and very usual server task like the mentioned scenario.
>
> I cannot agree that your mentioned scenario is common and very usual. In
> my experience the majority of Unix standalone KDC deployments use the
> default (local) database backend, not an LDAP backend. (Fancy things lik=
e
> Samba, IPA, and AD are different, but they are also not in the domain of
> things in the base system!)
>
> > I overcame this problem by installing the port security/heimdal, but
> > now I run into the next problem which is highly intransparent:
> >
> > kadmin> init MY.REALM
> > kadmin: hdb_open: ldap_sasl_bind_s: Confidentiality required
> >
> > My LDAP server expects TLS authentication. I would expect a LDAP aware
> > client to llok for the proper informations
> > at /usr/local/openldap/ldap.conf. Obviously, Heimdal doesn't. Is there
>
> I'm not sure that I would. The LDAP database holding KDB information may
> not be the default LDAP database for the rest of the system (e.g., for
> nsswitch), and contains sensitive key data; having to specify additional
> configuration for it seems reasonable to me.
>
> I don't know if you followed the MIT documentation this far, but an MIT
> KDC needing to authenticate to bind to its LDAP server needs to
> have configuration for this in kdc.conf.
>
> > anything I've missed? Since I can not find any suitable documentation
> > (www.h5l.org/manual is dead!), I'm floating dead in the water.
>
> I don't know of any documentation for doing this with Heimdal, sorry. If
> you were using MIT Kerberos I could be more helpful.
>
> -Ben
> _______________________________________________
> freebsd-current@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org=
"
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFYdZ7iu-LNwHgsL=_dux5a0veVzdW%2Bh9QUxRLR2xfH4eEmW4A>