Difference between kerberos.openldap.ldif and kerberos.ldif; why kdb5_ldap_util create does not need -H but kdb5_ldap_util list needs -H

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Difference between kerberos.openldap.ldif and kerberos.ldif; why kdb5_ldap_util create does not need -H but kdb5_ldap_util list needs -H

Дилян Палаузов
Hello,

• what is the difference between
krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema ,
krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif and
krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif ?

https://web.mit.edu/kerberos/krb5-devel/doc/admin/advanced/ldapbackend.html suggests doing conversions and replacing
some text in the intermediate file to “dn: cn=kerberos,cn=schema,cn=config cn: kerberos” - a single line, but it likely
means two lines:

dn: cn=kerberos,cn=schema,cn=config
cn: kerberos

Why doesn’t MIT Kerberos provide a schema file, that can be directly used, but one has to convert kerberos.schema with
slaptest and then edit the file?

In fact, instead of the schema conversion described at the link above, I did
  include: krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif
and compared the results.  They are the same.  So why is kerberos.openldap.ldif not recommended, instead of converting
kerberos.schema?

• On the system I am testing,

kdb5_ldap_util -D A1 -w A2 create -r X

correctly uses ldapi://var/run/ldapi to connect. Why do I have to pass -H in order to see the domains:

kdb5_ldap_util -H ldapi://%2Fvar%2Frun%2Fldapi list
XYZ - correct answer
?

kdb5_ldap_util list     prints:
kdb5_ldap_util: Cannot bind to LDAP server 'ldapi://' as 'uid=admin_kdc,cn=krbContainer': Can't contact LDAP server
while initializing database

It connects to /usr/local/var/run/ldapi, after reading the URI both from /usr/local/etc/openldap/ldap.conf and from
~/.ldaprc and both latter files contain "URI ldapi://%2Fvar%2Frun%2Fldapi
SASL_MECH EXTERNAL"

In kdc.conf I have
[dbdefaults]
ldap_servers = ldapi://%2Fvar%2Frun%2Fldapi
ldap_kerberos_container_dn = cn=krbContainer                                                                        
ldap_kdc_dn = uid=admin_kdc,cn=krbContainer
ldap_kadmind_dn = uid=admin_kdc,cn=krbContainer
##  ldap_kadmind_dn = cn=kadmin,c=kerberos
ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash

[dbmodules]
LDAP = {
  db_library = kldap
}

and the default realm uses DB2 backend.

• The documentation at https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html#dbdefaults suggests,
that if ldap_servers = ldapi://%2Fvar%2Frun%2Fldapi is in the [dbdefaults] section, then it does not have to be listed
in a module within [dbmodules].  I cannot confirm this.  If I have ldap_servers only in dbdefaults, then “kadmin.local
-r X ” cannot find the socket to connect, until I add ldap_servers to [dbmodules] LDAP={..}.

• Once I have created a domain in the (open)ldap backend, ldap_kerberos_container_dn = cn=krbContainer, in a way that
“kdb5_ldap_util -H ldapi://%2Fvar%2Frun%2Fldapi  list” does list the test domain and "kadim.local -r X" let me add
principals, how can I query with ldapsearch the cn=krbContainer namespace to see what is there?

ldapsearch -b "cn=krbcontainer" -s children shows 32 No such object.

Thanks in advance
  Dilyan

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Difference between kerberos.openldap.ldif and kerberos.ldif; why kdb5_ldap_util create does not need -H but kdb5_ldap_util list needs -H (2)

Дилян Палаузов
Hello,
> • Once I have created a domain in the (open)ldap backend, ldap_kerberos_container_dn = cn=krbContainer, in a way that
> “kdb5_ldap_util -H ldapi://%2Fvar%2Frun%2Fldapi  list” does list the test domain and "kadmin.local -r X" let me add
> principals, how can I query with ldapsearch the cn=krbContainer namespace to see what is there?
>
> ldapsearch -b "cn=krbcontainer" -s children shows 32 No such object.
>

Nevermind, I got it, the EXTERNAL authentication has not worked somehow,

ldapsearch -D "uid=admin_kdc,cn=krbContainer" -w  ABC  -b "cn=krbContainer"

does work.

Regards
  Дилян

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Difference between kerberos.openldap.ldif and kerberos.ldif; why kdb5_ldap_util create does not need -H but kdb5_ldap_util list needs -H

Greg Hudson
In reply to this post by Дилян Палаузов
On 8/30/19 4:53 PM, Дилян Палаузов wrote:
> • what is the difference between
> krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema ,
> krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif and
> krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif ?

The .schema file is intended for consumption by old-style OpenLDAP
configuration files.  The .ldif file is intended for consumption by
Netscape-derived LDAP servers, I believe, while the .openldap.ldif file
was added more recently for consumption by OpenLDAP cn=config.

> https://web.mit.edu/kerberos/krb5-devel/doc/admin/advanced/ldapbackend.html suggests doing conversions and [...]

That page was written before kerberos.openldap.ldif was added and hasn't
been revised.  I will make a note to update it.

> Why do I have to pass -H in order to see the domains:

I think because of the [dbdefaults] ldap_servers issue described later.

> • The documentation at https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html#dbdefaults suggests,
> that if ldap_servers = ldapi://%2Fvar%2Frun%2Fldapi is in the [dbdefaults] section, then it does not have to be listed
> in a module within [dbmodules].  I cannot confirm this.

This appears to be a long-standing documentation error.  I will correct
the documentation to remove ldap_servers from the list of LDAP variables
which can appear in [dbdefaults].
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Why kdb5_ldap_util create does not need -H but kdb5_ldap_util list needs -H

Дилян Палаузов
Hello Greg,

thanks for your replay.  I got it somehow on Monday, two days after you sent it.

• The documentation at https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/kdc_conf.html#dbdefaults suggests,
> > that if ldap_servers = ldapi://%2Fvar%2Frun%2Fldapi is in the [dbdefaults] section, then it does not have to be listed
> > in a module within [dbmodules].  I cannot confirm this.
>
> This appears to be a long-standing documentation error.  I will correct
> the documentation to remove ldap_servers from the list of LDAP variables
> which can appear in [dbdefaults].

Alright.  While “kdb5_ldap_util create -r Y.EXAMPLE” does take the ldap address from the ldap_servers setting for the
realm/domain, so no -H parameter is necessary, how is “kdb5_ldap_util list” supposed to obtain the address of the
ldap_server to connect to?  Does it use, if -H is missing, the ldap_server of the default domain?

Regards
  Дилян

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: Why kdb5_ldap_util create does not need -H but kdb5_ldap_util list needs -H

Greg Hudson
On 9/6/19 11:43 AM, Дилян Палаузов wrote:
> Alright.  While “kdb5_ldap_util create -r Y.EXAMPLE” does take the ldap address from the ldap_servers setting for the
> realm/domain, so no -H parameter is necessary, how is “kdb5_ldap_util list” supposed to obtain the address of the
> ldap_server to connect to?  Does it use, if -H is missing, the ldap_server of the default domain?

Yes.

> Is there any way that MIT Kerberos withLDAP can use the
> user passwords stored in inetorgperson:userPassword attribute, instead from the krbPrincipalKey: attribute?  The use
> case is to reuse an existing infrastructure, where passwords are already hashed in userPassword.

No, a Kerberos database cannot use hashed LDAP passwords.  Kerberos uses
an enctype-specific string-to-key conversion on passwords, and that
conversion doesn't resemble the password hashing used in LDAP.

> admin/conf_ldap.html proposes these access rigths:

These and some of the other rights can be removed from the
documentation, as far as I can tell.  They may date back to the Novell
eDirectory origins of the LDAP KDB module.

I filed https://github.com/krb5/krb5/pull/974 to update the
documentation, and will merge it after review.  Thanks for the detailed
feedback.  (Also, per the ticket you filed a week ago, I will look into
adding epub versions of the documentation.)
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev