Setting up the KDC ldap backend

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Setting up the KDC ldap backend

John Byrne
Hi,

I'm trying to set up the KDC with the LDAP plugin. I've been using:

https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
and
https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/ldapbackend.html#ldap-be-ubuntu

as references (I'm not using Ubuntu, I'm using CentOS 7 but most of the
info on the Ubuntu page above seems to be fairly generic).

When I run the command to create the database, it challenges me for a
password. I didn't set one up, and if I just hit enter, I get this:

$ sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s
Password for "cn=admin,dc=example,dc=com":
kdb5_ldap_util: Cannot allocate memory while retrieving ldap configuration

Now, I don't really know much about LDAP, so I could be missing something.
Do I have to create "cn=admin,dc=example,dc=com" as a user somehow before I
run this?

I've tried reading up on LDAP, but I haven't found anything that explains
what I need to do here. I'm looking for a shortcut to the quickest possible
setup - I don't really need LDAP except that I'm trying to test constrained
delegation in a web application, and apparently that only works with the
LDAP backend.

Can anyone explain what's the bare minimum I need to do to get this
working?

Thanks,
John
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Setting up the KDC ldap backend

Todd Grayson
I'm not sure whats going on with the error message you are seeing.

AS far as how to info: The hortonworks community has a walkthrough of MIT
KDC with LDAP backend on CentOS7, here:

https://community.hortonworks.com/articles/199542/configuring-kerberos-with-openldap-back-end.html

On Tue, Feb 5, 2019 at 1:33 PM John Byrne <[hidden email]> wrote:

> Hi,
>
> I'm trying to set up the KDC with the LDAP plugin. I've been using:
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
> and
>
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/ldapbackend.html#ldap-be-ubuntu
>
> as references (I'm not using Ubuntu, I'm using CentOS 7 but most of the
> info on the Ubuntu page above seems to be fairly generic).
>
> When I run the command to create the database, it challenges me for a
> password. I didn't set one up, and if I just hit enter, I get this:
>
> $ sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s
> Password for "cn=admin,dc=example,dc=com":
> kdb5_ldap_util: Cannot allocate memory while retrieving ldap configuration
>
> Now, I don't really know much about LDAP, so I could be missing something.
> Do I have to create "cn=admin,dc=example,dc=com" as a user somehow before I
> run this?
>
> I've tried reading up on LDAP, but I haven't found anything that explains
> what I need to do here. I'm looking for a shortcut to the quickest possible
> setup - I don't really need LDAP except that I'm trying to test constrained
> delegation in a web application, and apparently that only works with the
> LDAP backend.
>
> Can anyone explain what's the bare minimum I need to do to get this
> working?
>
> Thanks,
> John
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


--
Todd Grayson
Customer Operations Engineering
Security SME
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Setting up the KDC ldap backend

John Byrne
Thanks for the replies. I had found a walkthrough on setting up LDAP on
it's own on that site too:
https://community.hortonworks.com/articles/79806/how-to-setup-openldap-24-on-centos-7.html

And that explained how to set up the user with the access I needed - that
got me past that error from my last email.

Now I'm getting this:

$ kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s
Password for "cn=admin,dc=example,dc=com":
Initializing database for realm 'EXAMPLE.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
kdb5_ldap_util: Kerberos Container create FAILED: No such object while
creating realm 'EXAMPLE.COM'

I'll take a look at the tutorial you linked to, but I just thought I'd post
this and see if anyone recognizes the error message.

-John


On Wed, Feb 6, 2019 at 11:49 AM Todd Grayson <[hidden email]> wrote:

> I'm not sure whats going on with the error message you are seeing.
>
> AS far as how to info: The hortonworks community has a walkthrough of MIT
> KDC with LDAP backend on CentOS7, here:
>
>
> https://community.hortonworks.com/articles/199542/configuring-kerberos-with-openldap-back-end.html
>
> On Tue, Feb 5, 2019 at 1:33 PM John Byrne <[hidden email]> wrote:
>
>> Hi,
>>
>> I'm trying to set up the KDC with the LDAP plugin. I've been using:
>>
>> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
>> and
>>
>> https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/ldapbackend.html#ldap-be-ubuntu
>>
>> as references (I'm not using Ubuntu, I'm using CentOS 7 but most of the
>> info on the Ubuntu page above seems to be fairly generic).
>>
>> When I run the command to create the database, it challenges me for a
>> password. I didn't set one up, and if I just hit enter, I get this:
>>
>> $ sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s
>> Password for "cn=admin,dc=example,dc=com":
>> kdb5_ldap_util: Cannot allocate memory while retrieving ldap configuration
>>
>> Now, I don't really know much about LDAP, so I could be missing something.
>> Do I have to create "cn=admin,dc=example,dc=com" as a user somehow before
>> I
>> run this?
>>
>> I've tried reading up on LDAP, but I haven't found anything that explains
>> what I need to do here. I'm looking for a shortcut to the quickest
>> possible
>> setup - I don't really need LDAP except that I'm trying to test
>> constrained
>> delegation in a web application, and apparently that only works with the
>> LDAP backend.
>>
>> Can anyone explain what's the bare minimum I need to do to get this
>> working?
>>
>> Thanks,
>> John
>> ________________________________________________
>> Kerberos mailing list           [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> --
> Todd Grayson
> Customer Operations Engineering
> Security SME
>
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Setting up the KDC ldap backend

Mark Pröhl
In reply to this post by John Byrne
On 2/5/19 9:30 PM, John Byrne wrote:
>.... I'm trying to test constrained
> delegation in a web application, and apparently that only works with the
> LDAP backend.

Hi all,

is this still true for 1.17?

- Mark
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Setting up the KDC ldap backend

John Byrne
In reply to this post by John Byrne
In case anyone has a similar issue, I was able to get it set up eventually.
The problem was that I needed to create the "dc=example,dc=com" entry
first. I don't understand why I was able to create a rootdn user called
"cn=admin,dc=example,dc=com" if "dc=example,dc=com" doens't exist, but
anyway I created a ldif file like this:

dn: dc=example,dc=com
objectClass: domain

And after running ldapmodify on that, I was able to finish creating the
krb5 database.

Thanks,
John


On Wed, Feb 6, 2019 at 12:21 PM John Byrne <[hidden email]> wrote:

> Thanks for the replies. I had found a walkthrough on setting up LDAP on
> it's own on that site too:
>
> https://community.hortonworks.com/articles/79806/how-to-setup-openldap-24-on-centos-7.html
>
> And that explained how to set up the user with the access I needed - that
> got me past that error from my last email.
>
> Now I'm getting this:
>
> $ kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s
> Password for "cn=admin,dc=example,dc=com":
> Initializing database for realm 'EXAMPLE.COM'
> You will be prompted for the database Master Password.
> It is important that you NOT FORGET this password.
> Enter KDC database master key:
> Re-enter KDC database master key to verify:
> kdb5_ldap_util: Kerberos Container create FAILED: No such object while
> creating realm 'EXAMPLE.COM'
>
> I'll take a look at the tutorial you linked to, but I just thought I'd
> post this and see if anyone recognizes the error message.
>
> -John
>
>
> On Wed, Feb 6, 2019 at 11:49 AM Todd Grayson <[hidden email]>
> wrote:
>
>> I'm not sure whats going on with the error message you are seeing.
>>
>> AS far as how to info: The hortonworks community has a walkthrough of MIT
>> KDC with LDAP backend on CentOS7, here:
>>
>>
>> https://community.hortonworks.com/articles/199542/configuring-kerberos-with-openldap-back-end.html
>>
>> On Tue, Feb 5, 2019 at 1:33 PM John Byrne <[hidden email]> wrote:
>>
>>> Hi,
>>>
>>> I'm trying to set up the KDC with the LDAP plugin. I've been using:
>>>
>>> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
>>> and
>>>
>>> https://web.mit.edu/kerberos/krb5-latest/doc/admin/advanced/ldapbackend.html#ldap-be-ubuntu
>>>
>>> as references (I'm not using Ubuntu, I'm using CentOS 7 but most of the
>>> info on the Ubuntu page above seems to be fairly generic).
>>>
>>> When I run the command to create the database, it challenges me for a
>>> password. I didn't set one up, and if I just hit enter, I get this:
>>>
>>> $ sudo kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create
>>> -s
>>> Password for "cn=admin,dc=example,dc=com":
>>> kdb5_ldap_util: Cannot allocate memory while retrieving ldap
>>> configuration
>>>
>>> Now, I don't really know much about LDAP, so I could be missing
>>> something.
>>> Do I have to create "cn=admin,dc=example,dc=com" as a user somehow
>>> before I
>>> run this?
>>>
>>> I've tried reading up on LDAP, but I haven't found anything that explains
>>> what I need to do here. I'm looking for a shortcut to the quickest
>>> possible
>>> setup - I don't really need LDAP except that I'm trying to test
>>> constrained
>>> delegation in a web application, and apparently that only works with the
>>> LDAP backend.
>>>
>>> Can anyone explain what's the bare minimum I need to do to get this
>>> working?
>>>
>>> Thanks,
>>> John
>>> ________________________________________________
>>> Kerberos mailing list           [hidden email]
>>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>> --
>> Todd Grayson
>> Customer Operations Engineering
>> Security SME
>>
>>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos