From owner-freebsd-current@FreeBSD.ORG Thu Oct 30 22:39:17 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A90F5B49 for ; Thu, 30 Oct 2014 22:39:17 +0000 (UTC) Received: from mail-la0-x22b.google.com (mail-la0-x22b.google.com [IPv6:2a00:1450:4010:c03::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 18BF4CC7 for ; Thu, 30 Oct 2014 22:39:16 +0000 (UTC) Received: by mail-la0-f43.google.com with SMTP id ge10so5323995lab.30 for ; Thu, 30 Oct 2014 15:39:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=MctephqBcZ/PA4SryfcTTZaECbuLYRNfOYJi0KJeBDk=; b=A3vjo5X0mwrkpzy2tZblMGpA/krAlTfusKAXCEuHbzeWjk0ul9/2o7gjT+PcoLSqKz CvhUwpzRDnoFGaXUfVP/+mNwbz6jbDxzMu/5ILFYeZZR6UxGoHeZQiAR6gxgcj+UbdIG FCq0VFGt007EwZyT4jbF8BFeW3hep11EtQUFeOpEnpSMXkAN8pFAGeo4mhrFD5kMWn1n AoaFH25PHy0IHRdg2+07RzLmepsJZnx25coqCQVfADAuM/PSvlvGYUbphlLLooGwz94z h0r5LXz3IJArzzKLxG3q8IfDSsxnODXZe16gXJz7pn/qU829tTPKcGd36nItlEt3oWEB ZMgw== MIME-Version: 1.0 X-Received: by 10.152.18.166 with SMTP id x6mr21743838lad.18.1414708755018; Thu, 30 Oct 2014 15:39:15 -0700 (PDT) Received: by 10.25.21.219 with HTTP; Thu, 30 Oct 2014 15:39:14 -0700 (PDT) Received: by 10.25.21.219 with HTTP; Thu, 30 Oct 2014 15:39:14 -0700 (PDT) In-Reply-To: References: <20141030092039.47802349@prometheus> Date: Thu, 30 Oct 2014 23:39:14 +0100 Message-ID: Subject: Re: Heimdal with OpenLDAP backend: Cannot open /usr/lib/hdb_ldap.so From: =?UTF-8?B?TMOhc3psw7MgTMOpdmFp?= To: Benjamin Kaduk Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-current , "O. Hartmann" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 30 Oct 2014 22:39:17 -0000 Today afternoon I deleted the Heimdal. I will start from begining with security/krb5 port. 2014.10.30. 21:52 ezt =C3=ADrta ("Benjamin Kaduk" ): > [stripping -questions; please don't cross-post] > > Disclaimer: I am part of the group that develops MIT Kerberos > > On Thu, 30 Oct 2014, O. Hartmann wrote: > > > Searching for suitable manuals, I found some HowTos describing how to > > setup MIT Kerberos V with an OpenLDAP backend and I started following > > the instructions there. Despite the fact that http://www.h5l.org/manual > > I am not sure why. I guess you already discovered this, but the MIT KDC > and the Heimdal KDC are very different beasts to administer. The > instructions for one have no bearing on the other. > > > is dead(!) and no usefull documentation or any kind of a hint where to > > That was reported to their mailing list independently just today > ( > http://permalink.gmane.org/gmane.comp.encryption.kerberos.heimdal.general= /7836 > ) > > > find useful documentation for Heimdal can be found, many of the MIT > > Kerberos V setup instructions seem to be a dead end when using Heimdal > > on FreeBSD. Most of the links on that heimdal site ends up in ERROR 404= ! > > > > Well, I think my objective isn't that exotic in an more advanced server > > environment and I think since FreeBSD is supposed to be used in > > advanced server environments this task should be well known - but > > little information/documentation is available. > > In my experience, most people getting into administering Kerberos KDCs do > so by learning from someone else already doing so (usually in the same > organization), so there are not always written documentation. In my > (biased) opinion, the MIT documentation is pretty good; the upstream > Heimdal documentation less so. > > > Nevertheless, I use the base system's heimdal implementation and I run > > into a very frustrating error when trying to run "kamdin -l": > > > > kadmin: error trying to load dynamic module /usr/lib/hdb_ldap.so: > > Cannot open "/usr/lib/hdb_ldap.so" > > > > The setup for the stanza [kdc] is > > > > [...] > > [kdc] > > database =3D { > > dbname=3Dldap:ou=3Dkerberos,dc=3Dserver,dc=3Dgdr > > #hdb-ldap-structural-object =3D inetOrgPerson > > mkey_file =3D /var/heimdal/m-key > > acl_file =3D /var/heimdal/kadmind.acl > > } > > > > instructions taken from http://www.padl.com/Research/Heimdal.html. > > > > Well, it seems that FreeBSD ships with a crippled heimdal > > implementation. Where is /usr/lib/hdb_ldap.so? > > You keep using this word "crippled", and I fail to understand why. It is > functioning as intended. The FreeBSD base system ships with a limited se= t > of tools, which allow many common server tasks to be performed, but > certainly not all, and are not intended to fulfil all advanced server > setups. The bundled Heimdal is there to provide the libraries and client > utilities, which can be indispensable in many environments, and the KDC > implementation is included because it can be useful in simple, small > setups. If you need a more complicated Kerberos setup, you should be > installing a KDC from ports, or arguably even building from source! The > KDC in base functions suitably for the role it is intended to play; that > is hardly "crippled". > > You probably noted that the base system now has dma, and sendmail is on > its way out. Sendmail is a pretty big hammer, bigger than what is needed > for use by the base system, and dma is more appropriate. The tools in th= e > base system have a purpose, and they are not always suitable for > everything in their appropriate area. > > > I'm toying around this issue for several days now and it gets more and > > more frustrating, also with the perspective of having no running samba > > 4.1 server for the windows domain. > > > > Can someone give me a hint where to find suitable FreeBSD docs for a > > task like this? I guess since FreeBSD is considered a server OS more > > than a desktop/toy OS, there must be a solution for this. FreeBSD ships > > with heimdal in the base, but it seems this heimdal is broken. > > Again, don't use the heimdal from base if you need fancy features. > > (Are you even tied to Heimdal? If not, you already found the > documentation for using LDAP as a backend for an MIT KDC...) > > > > From your later message: > > > The lack of documentation is simply a mess. I excluded by intention the > > port security/heimdal to proof whether FreeBSD is capable of handling a > > common and very usual server task like the mentioned scenario. > > I cannot agree that your mentioned scenario is common and very usual. In > my experience the majority of Unix standalone KDC deployments use the > default (local) database backend, not an LDAP backend. (Fancy things lik= e > Samba, IPA, and AD are different, but they are also not in the domain of > things in the base system!) > > > I overcame this problem by installing the port security/heimdal, but > > now I run into the next problem which is highly intransparent: > > > > kadmin> init MY.REALM > > kadmin: hdb_open: ldap_sasl_bind_s: Confidentiality required > > > > My LDAP server expects TLS authentication. I would expect a LDAP aware > > client to llok for the proper informations > > at /usr/local/openldap/ldap.conf. Obviously, Heimdal doesn't. Is there > > I'm not sure that I would. The LDAP database holding KDB information may > not be the default LDAP database for the rest of the system (e.g., for > nsswitch), and contains sensitive key data; having to specify additional > configuration for it seems reasonable to me. > > I don't know if you followed the MIT documentation this far, but an MIT > KDC needing to authenticate to bind to its LDAP server needs to > have configuration for this in kdc.conf. > > > anything I've missed? Since I can not find any suitable documentation > > (www.h5l.org/manual is dead!), I'm floating dead in the water. > > I don't know of any documentation for doing this with Heimdal, sorry. If > you were using MIT Kerberos I could be more helpful. > > -Ben > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org= " >