Re: Error while integrating OpenLDAP and Kerberos

Thu, 19 Mar 2015 04:45:07 -0700 

Review the password stash steps used to provide the kdc/kadmin processes
their password in order to bind to ldap.

Manually start the kadmind process with debugging turn on and run it in the
foreground.  You will likely see where things go wrong.

Passwords may not match, the password may not be in the right file, the
permissions could be off...
On Mar 19, 2015 1:54 AM, "Verónica Ovando" <[email protected]> wrote:

>  I am trying to set up Kerberos with OpenLDAP backend. I followed this
> doc http://web.mit.edu/Kerberos/www/krb5-1.12/doc/admin/conf_ldap.html
> and this
> https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html#kerberos-ldap-openldap
>
> My krb5.conf file looks like this:
>
>  [libdefaults]
>     default_realm = EXAMPLE.TEST
>     dns_lookup_realm = false
>     dns_lookup_kdc = false
>     rdns = false
>
> [kdcdefaults]
>     restrict_anonymous_to_tgt = true
>
> # The following krb5.conf variables are only for MIT Kerberos.
>     krb4_config = /etc/krb.conf
>     krb4_realms = /etc/krb.realms
>     kdc_timesync = 1
>     ccache_type = 4
>     forwardable = true
>     proxiable = true
>
> # The following libdefaults parameters are only for Heimdal Kerberos.
>     v4_instance_resolve = false
>     v4_name_convert = {
>         host = {
>             rcmd = host
>             ftp = ftp
>         }
>         plain = {
>             something = something-else
>         }
>     }
>     fcc-mit-ticketflags = true
>
> [realms]
> #configuracion para mi reino
>     EXAMPLE.TEST = {
>         kdc = krb1.example.test:88
>         kdc = krb2.example.test:88
>         admin_server = krb1.example.test
>         default_domain = example.test
>         database_module = openldap_ldapconf
>     }
>
> [domain_realm]
> #configuracion para mi servidor
>     .example.test = EXAMPLE.TEST
>     EXAMPLE.test = EXAMPLE.TEST
>
> [dbdefaults]
>         ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=test
>
> [dbmodules]
>         openldap_ldapconf = {
>                 db_library = kldap
>                 ldap_kdc_dn = "cn=krbadmin,dc=example,dc=test"
>
>                 # this object needs to have read rights on
>                 # the realm container, principal container and realm sub-trees
>         ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=test"
>
>                 # this object needs to have read and write rights on
>                 # the realm container, principal container and realm sub-trees
>                 ldap_service_password_file = /etc/krb5kdc/service.keyfile
>                 ldap_servers = ldap://127.0.0.1
>                 ldap_conns_per_server = 5
>         }
>
> [login]
> #   krb4_convert = true
> #   krb4_get_tickets = false
>
> [logging]
>     kdc = FILE:/var/log/kerberos/krb5kdc.log
>     admin_server = FILE:/var/log/kerberos/kadmin.log
>     default = FILE:/var/log/kerberos/krb5lib.log
>
> I added the krbPrincipalName index:
>  dn: olcDatabase={1}hdb,cn=config
> add: olcDbIndex
> olcDbIndex: krbPrincipalName eq,pres,sub
>
> I gave permissions to the kadmind and krb5kdc for reading a writing in the
> LDAP database:
>  dn: olcDatabase={1}hdb,cn=config replace: olcAccess
> olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by
> dn="cn=krbadmin,dc=example,dc=com" write by anonymous auth by self write by
> * none
> -
> add: olcAccess olcAccess: to dn.base="" by * read
> -
> add: olcAccess olcAccess: to * by dn="cn=krbadmin,dc=example,dc=com" write
> by * read
>
> When i try to restart the krb5-admin-server I get this error:
>
> *[....] Restarting Kerberos administrative servers: kadmindkadmind:
> Invalid credentials while initializing, aborting failed!*
>
> Any suggestion for solving this problem? I thinks there is a missing
> configuration on my LDAP, but I am not sure.
>
> Thanks in advance.
>
> --
> Verónica Ovando
>
>

Reply via email to