[35844] in Kerberos
Re: kdb5_ldap_util create fails
daemon@ATHENA.MIT.EDU (Tobias Hachmer)
Sun Mar 9 08:21:49 2014
From: Tobias Hachmer <tobias@hachmer.de>
To: Greg Hudson <ghudson@mit.edu>
Date: Sun, 09 Mar 2014 13:20:07 +0100
Message-ID: <12676738.ViL7FpQ3DS@tobias-pc>
In-Reply-To: <531B82D5.7050807@mit.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============1765532834=="
Errors-To: kerberos-bounces@mit.edu
--===============1765532834==
Content-Type: multipart/signed; boundary="nextPart1767928.vkx9zS8iGO";
micalg="pgp-sha512"; protocol="application/pgp-signature"
--nextPart1767928.vkx9zS8iGO
Content-Transfer-Encoding: 7Bit
Content-Type: text/plain; charset="us-ascii"
Hello Greg,
thanks for your answer and your further tests on this.
On Saturday 08 March 2014 15:51:33 Greg Hudson wrote:
> > Mar 07 16:34:32 ldapkerberos slapd[959]: oc_check_required entry
> > (ou=mit- kerberos,dc=example,dc=com), objectClass "krbContainer"
> > Mar 07 16:34:32 ldapkerberos slapd[959]: Entry (ou=mit-
> > kerberos,dc=example,dc=com), attribute 'ou' not allowed
>
> If I use a cn= as the first element of the container DN, it works.
> Since krbContainer is defined in the schema with attributes "MUST ( cn
> )" and nothing else, this may be expected behavior.
Yes, if I let kdb5_ldap_util create the first container with a cn as the rdn
it works here also on my archlinux machine:
# mit-kerberos, example.com
dn: cn=mit-kerberos,dc=example,dc=com
objectClass: krbContainer
cn: mit-kerberos
> > I have set up a test machine with debian wheezy (kerberos version
> > 1.10.1). With the krb5_ldap_util here everything works fine.
>
> I could produce the same behavior with krb5 1.10, so I don't think
> there has been a relevant change on our side. Perhaps there is a
> different OpenLDAP version on the test machine? Did you use all of
> the same DNs?
Archlinux machine: openldap version 2.4.39
Debian Wheezy machine: openldap version 2.4.31
The difference between the two kerberos versions I have recognized are the
following:
If the first kerberos container doesn't exist in the dit both kdb5_ldap_util
versions create it as mentioned above.
If I create the first kerberos container manually with objectClass
organizationalUnit like this:
# mit-kerberos, example.com
dn: ou=mit-kerberos,dc=example,dc=com
objectClass: organizationalUnit
ou: mit-kerberos
the kdb5_ldap_util from krb 1.12.1 exit with the error that the object has no
cn like defined in schema for the krbContainer object.
But the kdb5_ldap_util from krb 1.10.1 (debian tst machine) just leaves the
first object as it is and initializes the kerberos backend in ldap:
...
# mit-kerberos, example.com
dn: ou=mit-kerberos,dc=example,dc=com
objectClass: organizationalUnit
ou: mit-kerberos
# mit-kdc, mit-kerberos, example.com
dn: cn=mit-kdc,ou=mit-kerberos,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: mit-kdc
userPassword:: ...
# mit-kadmind, mit-kerberos, example.com
dn: cn=mit-kadmind,ou=mit-kerberos,dc=example,dc=com
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: mit-kadmind
userPassword:: ...
# EXAMPLE.COM, mit-kerberos, example.com
dn: cn=EXAMPLE.COM,ou=mit-kerberos,dc=example,dc=com
cn: EXAMPLE.COM
objectClass: top
objectClass: krbRealmContainer
objectClass: krbTicketPolicyAux
krbSubTrees: ou=users,dc=example,dc=com
krbSearchScope: 2
...
So, from my pov this may be a misbehavior of the older version. Now it is
quite straight forward to have the first object of an objectclass krbContainer
as defined in the kerberos.schema.
Greetings from germany,
Tobias Hachmer
--nextPart1767928.vkx9zS8iGO
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part.
Content-Transfer-Encoding: 7Bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAABCgAGBQJTHFx8AAoJEHXGlTiIv2V4wDMQAK20DcoQSDpZ41EHeR4L+nGp
/pAgQ3OAuyBshbyXnzg2BkBGY773FBX/0pmlJqbUHyLdSqae3P5ijNFchNx8/bWW
Ol8VUwymroNgLDxvs18Y54jWP1A58ginNTMSYBEpTqGfw/3qNXNVSJUrz0zB8SIf
AnQny09HOWkn3qysg8v+jcAOuvXiGYyEbpExP0Ws1Mhs7JfI2xPX+9dUsG+RyDxp
WLEObFSbSKmOZIAIe7KAleuDhNu3ywBJ2Pth8DN1/x7BdAmkLHPuhEyE7cTje5/e
F3n75K8kTrSMmfmPDs8TXkxcBZlinciZknR8pzC/VgZ/VxVllgYq2HN67KhaD/1g
6H7TKyay5vxMVun3rsRJgZXJIdKnxNLW6Bo/+Ywqvu1g3jESSSB6mUGP245uJQwX
ORyHwPOfPODEOondEoosVwkVe3QdmGq/P4FT7/Lecg0iP/kz7AsZ0hKRvYZIXnva
uy+oRfx3PE5OcELzcNVqBA41LvJ5pYhbzQHgrYHx2wRDNyVS2uFnbJf7oyG7kMTp
dR4zvj9nC1Mr7FebDSsSCTn5Jsm75fAcaQpt0ssk4XcDBiFgla2CyUhDRNjh22a3
QK6WMUuss76hAtLSN4aQd8/C5wCzBemq1OUuZYzESEurJRoGittMbsmrATtpgc4V
NYlc3m2v2Fb2tYEpsKYp
=94mp
-----END PGP SIGNATURE-----
--nextPart1767928.vkx9zS8iGO--
--===============1765532834==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1765532834==--
