[35839] in Kerberos
kdb5_ldap_util create fails
daemon@ATHENA.MIT.EDU (Tobias Hachmer)
Sat Mar 8 12:26:36 2014
From: Tobias Hachmer <tobias@hachmer.de>
To: kerberos@mit.edu
Date: Sat, 08 Mar 2014 18:26:06 +0100
Message-ID: <3873755.Echvvdaxdu@tobias-pc>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0940130404=="
Errors-To: kerberos-bounces@mit.edu
--===============0940130404==
Content-Type: multipart/signed; boundary="nextPart2756233.f3VtitCHJV";
micalg="pgp-sha512"; protocol="application/pgp-signature"
--nextPart2756233.f3VtitCHJV
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Hello list,
I am going to set up a kdc with an openldap backend.
Environment:
Archlinux with:
- kerberos version 1.12.1 from official core repo
- openldap version 2.4.39 from official core repo
What I have done:
- very basic clean dit
- kerberos schema is loaded
- organizational unit for kerberos objects is created
- environment variable KRB5_CONFIG is set to the correct kdc.conf
While running "kdb5_ldap_util create -D cn=manager,dc=example,dc=com -r
EXAMPLE.COM -s -sscope sub -subtrees ou=users,dc=example,dc=com" I get this
error:
kdb5_ldap_util: Kerberos Container create FAILED: Object class violation while
creating realm 'EXAMPLE.COM'
verbose log output from openldap:
...
Mar 07 16:34:32 ldapkerberos slapd[959]: conn=1005 op=1 do_add
Mar 07 16:34:32 ldapkerberos slapd[959]: conn=1005 op=1 do_add: dn (ou=mit-
kerberos,dc=example,dc=com)
Mar 07 16:34:32 ldapkerberos slapd[959]: >>> dnPrettyNormal: <ou=mit-
kerberos,dc=example,dc=com>
Mar 07 16:34:32 ldapkerberos slapd[959]: <<< dnPrettyNormal: <ou=mit-
kerberos,dc=example,dc=com>, <ou=mit-kerberos,dc=example,dc=com>
Mar 07 16:34:32 ldapkerberos slapd[959]: conn=1005 op=1 ADD dn="ou=mit-
kerberos,dc=example,dc=com"
Mar 07 16:34:32 ldapkerberos slapd[959]: bdb_dn2entry("ou=mit-
kerberos,dc=example,dc=com")
Mar 07 16:34:32 ldapkerberos slapd[959]: => bdb_dn2id("ou=mit-
kerberos,dc=example,dc=com")
Mar 07 16:34:32 ldapkerberos slapd[959]: <= bdb_dn2id: get failed: BDB0073
DB_NOTFOUND: No matching key/data pair found (-30988)
Mar 07 16:34:32 ldapkerberos slapd[959]: bdb_referrals: tag=104
target="ou=mit-kerberos,dc=example,dc=com" matched="dc=example,dc=com"
Mar 07 16:34:32 ldapkerberos slapd[959]: ==> bdb_add: ou=mit-
kerberos,dc=example,dc=com
Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_required entry (ou=mit-
kerberos,dc=example,dc=com), objectClass "krbContainer"
Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_allowed type "objectClass"
Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_allowed type "cn"
Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_allowed type
"structuralObjectClass"
Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_allowed type "ou"
Mar 07 16:34:32 ldapkerberos slapd[959]: Entry (ou=mit-
kerberos,dc=example,dc=com), attribute 'ou' not allowed
Mar 07 16:34:32 ldapkerberos slapd[959]: bdb_add: entry failed schema check:
attribute 'ou' not allowed (65)
Mar 07 16:34:32 ldapkerberos slapd[959]: send_ldap_result: conn=1005 op=1 p=3
Mar 07 16:34:32 ldapkerberos slapd[959]: send_ldap_result: err=65 matched=""
text="attribute 'ou' not allowed"
Mar 07 16:34:32 ldapkerberos slapd[959]: send_ldap_response: msgid=2 tag=105
err=65
Mar 07 16:34:32 ldapkerberos slapd[959]: conn=1005 op=1 RESULT tag=105 err=65
text=attribute 'ou' not allowed
...
I have set up a test machine with debian wheezy (kerberos version 1.10.1).
With the krb5_ldap_util here everything works fine.
Is here anyone who can tell me whats here wrong, maybe a bug in krb5_ldap_util
or some schema changes?
Thanks and kind regards,
Tobias Hachmer
--nextPart2756233.f3VtitCHJV
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABCgAGBQJTG1K4AAoJEHXGlTiIv2V4eHAP/i17lAl/6yFq+mn+dkLaTFeH
wrXTVEDK7Lt4JXeVQ79JL5GFmfdfQSnGFE50QHbD4NBIWAQkw2j1zlXGy94rC/P6
+Ijbe3fDN2EdXdXlBJzEK40uS/KQrynOAayTY4TBB0cQEhcfnXOPTGgAejdngdUB
9JTF8p5rTcQbfDesffH2C6xS0kbjfjni4fquZrwFxwqIwVo2vHoUr7nnI+EhIyzA
7tSnv6rk+Xym21dcyfhGiUXXFGhcz3ESszaERkMbNHsTRkjrUx6l6T3yOrYCahfZ
mi+sUJKjtCMDiAi/DhabQ2wz61MCRgac7nCx39qI8kom7eqZcVtOpcoL9T0yK1ve
q7m7h/Yv40YjsycpnSVGLVMe2GbFXasETj3/qr8ahO9GozqFL1Sy+XWk0XDhyvLP
HIPxyIqov8moUDAm/VaASwQFVh3meMVypaVZk4J5WlW05SCeqfwP5I+N8MKDufJ9
YqHd+tC7DG/0Ty6GWoHYYt1UdnOdl+xy3/pk25qRJ8EL19bTbSPHNzd2zhQazuJL
AC7OCtwJs6tbtAfcmpUGCtRfkQVfJclkzORxSBqQYVqRpTEaPfa5sUtCJ80vHncv
DPs1tWca6ux6Z46+280bZYpJmmfa7c2JDyM5oGeGkDx++NS/EoBycPfM/P8T4Udw
PF6BUoUVwLA6oNTb3zbJ
=JKm4
-----END PGP SIGNATURE-----
--nextPart2756233.f3VtitCHJV--
--===============0940130404==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0940130404==--
