Heimdal with OpenLDAP backend: Cannot open /usr/lib/hdb_ldap.so
O. Hartmann
ohartman at zedat.fu-berlin.de
Thu Oct 30 08:48:31 UTC 2014
On Thu, 30 Oct 2014 09:35:49 +0100
Lévai László <laszlo.lev.levai at gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi, try this:
>
> [1] kill all kerberos process
> [2] to start KDC: /usr/local/libexec/kdc --detach
> [3] /usr/local/sbin/kadmin -l
> kadmin> list -l *
> [...]
>
> Principal: krbtgt/...
> Principal expires: never
> Password expires: never
> Last password change: never
> Max ticket life: unlimited
> Max renewable life: unlimited
> Kvno: 1
> Mkvno: unknown
> Last successful login: never
> Last failed login: never
> Failed login count: 0
> Last modified: 2014-10-28 11:44:00 UTC
> Modifier: unknown
> Attributes:
> Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
> PK-INIT ACL:
> Aliases:
>
> Principal: kadmin/changepw at ...
> Principal expires: never
> Password expires: never
> Last password change: never
> Max ticket life: 5 minutes
> Max renewable life: 5 minutes
> Kvno: 1
> Mkvno: unknown
> Last successful login: never
> Last failed login: never
> Failed login count: 0
> Last modified: 2014-10-28 11:44:00 UTC
> Modifier: unknown
> Attributes: pwchange-service, requires-pre-auth,
> disallow-proxiable, disallow-renewable, disallow-tgt-based,
> disallow-postdated
> Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
> PK-INIT ACL:
> Aliases:
>
> Principal: kadmin/admin at ...
> Principal expires: never
> Password expires: never
> Last password change: never
> Max ticket life: 1 hour
> Max renewable life: 1 hour
> Kvno: 1
> Mkvno: unknown
> Last successful login: never
> Last failed login: never
> Failed login count: 0
> Last modified: 2014-10-28 11:44:00 UTC
> Modifier: unknown
> Attributes: requires-pre-auth
> Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
> PK-INIT ACL:
> Aliases:
>
> Principal: changepw/kerberos at ...
> Principal expires: never
> Password expires: never
> Last password change: never
> Max ticket life: 1 hour
> Max renewable life: 1 hour
> Kvno: 1
> Mkvno: unknown
> Last successful login: never
> Last failed login: never
> Failed login count: 0
> Last modified: 2014-10-28 11:44:01 UTC
> Modifier: unknown
> Attributes: pwchange-service, disallow-tgt-based
> Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
> PK-INIT ACL:
> Aliases:
>
> Principal: kadmin/hprop at ...
> Principal expires: never
> Password expires: never
> Last password change: never
> Max ticket life: 1 hour
> Max renewable life: 1 hour
> Kvno: 1
> Mkvno: unknown
> Last successful login: never
> Last failed login: never
> Failed login count: 0
> Last modified: 2014-10-28 11:44:01 UTC
> Modifier: unknown
> Attributes: requires-pre-auth, disallow-tgt-based
> Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
> PK-INIT ACL:
> Aliases:
>
> Principal: WELLKNOWN/ANONYMOUS at ...
> Principal expires: never
> Password expires: never
> Last password change: never
> Max ticket life: 1 hour
> Max renewable life: 1 hour
> Kvno: 1
> Mkvno: unknown
> Last successful login: never
> Last failed login: never
> Failed login count: 0
> Last modified: 2014-10-28 11:44:01 UTC
> Modifier: unknown
> Attributes: requires-pre-auth
> Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
> PK-INIT ACL:
> Aliases:
>
> Principal: default at ...
> Principal expires: never
> Password expires: never
> Last password change: never
> Max ticket life: 1 day
> Max renewable life: 1 week
> Kvno: 1
> Mkvno: unknown
> Last successful login: never
> Last failed login: never
> Failed login count: 0
> Last modified: 2014-10-28 11:44:01 UTC
> Modifier: unknown
> Attributes: disallow-all-tix
> Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
> des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
> PK-INIT ACL:
> Aliases:
> [...]
Hello.
This seems not to be the base system's Heimdal since you use /usr/local
as prefix!
What is your database/storage backend for your Heimdal installation?
Is it OpenLDAP?
Tnak you very much in advance,
Oliver
>
>
> 2014-10-30 09:20 keltezéssel, O. Hartmann írta:
> > On CURRENT (FreeBSD 11.0-CURRENT #0 r273810: Wed Oct 29 07:52:22
> > CET 2014 amd64) a running net/openldap24-sasl-server system is
> > installed and running and is now about to be the database backend
> > for Kerberos/Heimdal. net/openldap24-sasl-server is at
> > openldap-sasl-server-2.4.40.
> >
> > The database storage scheme of the LDAP backend is MDB, as it is
> > highly recommended by the vendors of OpenLDAP.
> >
> > Searching for suitable manuals, I found some HowTos describing how
> > to setup MIT Kerberos V with an OpenLDAP backend and I started
> > following the instructions there. Despite the fact that
> > http://www.h5l.org/manual is dead(!) and no usefull documentation
> > or any kind of a hint where to find useful documentation for
> > Heimdal can be found, many of the MIT Kerberos V setup instructions
> > seem to be a dead end when using Heimdal on FreeBSD. Most of the
> > links on that heimdal site ends up in ERROR 404!
> >
> > Well, I think my objective isn't that exotic in an more advanced
> > server environment and I think since FreeBSD is supposed to be used
> > in advanced server environments this task should be well known -
> > but little information/documentation is available.
> >
> > Nevertheless, I use the base system's heimdal implementation and I
> > run into a very frustrating error when trying to run "kamdin -l":
> >
> > kadmin: error trying to load dynamic module /usr/lib/hdb_ldap.so:
> > Cannot open "/usr/lib/hdb_ldap.so"
> >
> > The setup for the stanza [kdc] is
> >
> > [...] [kdc] database = {
> > dbname=ldap:ou=kerberos,dc=server,dc=gdr
> > #hdb-ldap-structural-object = inetOrgPerson mkey_file =
> > /var/heimdal/m-key acl_file = /var/heimdal/kadmind.acl }
> >
> > instructions taken from
> > http://www.padl.com/Research/Heimdal.html.
> >
> > Well, it seems that FreeBSD ships with a crippled heimdal
> > implementation. Where is /usr/lib/hdb_ldap.so?
> >
> > I'm toying around this issue for several days now and it gets more
> > and more frustrating, also with the perspective of having no
> > running samba 4.1 server for the windows domain.
> >
> > Can someone give me a hint where to find suitable FreeBSD docs for
> > a task like this? I guess since FreeBSD is considered a server OS
> > more than a desktop/toy OS, there must be a solution for this.
> > FreeBSD ships with heimdal in the base, but it seems this heimdal
> > is broken.
> >
> > P.S. Please CC me. _______________________________________________
> > freebsd-current at freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-current To
> > unsubscribe, send any mail to
> > "freebsd-current-unsubscribe at freebsd.org"
> >
>
> - --
> Tisztelettel:
> Lévai László
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
>
> iF4EAREIAAYFAlRR+GEACgkQtgVHtSvpUlo8hgD/dJbCxh7dBdm1tosZ8fdmMuCf
> o6fBH3629SPMpGxxon0A/jK7hheRgcJYaIRTVUbmwKm3clbkVW4smcNCf8dPrTq5
> =vvoI
> -----END PGP SIGNATURE-----
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to
> "freebsd-current-unsubscribe at freebsd.org"
More information about the freebsd-current
mailing list