Discussion:
Aw: Re: kerberized OpenLDAP
Wolf-Agathon Schaly
2010-03-31 05:58:49 UTC
Permalink
Thank you Guillaume for your helpful answer

What I've done on the LDAP server
I've generated a -randkey ldap/***@PRIVAT.NET - LDAP service key. Modified the relevant ldap startup file, providing the path where LDAP will find it's keytab file and restarted the entire host - just to make sure that no old TCP connection will block the TCP port 389 (LDAP)


Checked the krb5kdc.log while user calls kinit - YES - the initial communication is fine, user gets it's TGT
When I do the ldapsearch -x on the server as expected all is fine (LDAP not yet involved)
When I do the ldapsearch -Y GSSAPI (on the server) - YES all is fine. But something is weird.
When I've checked my klist I'll get in return

klist
Valid starting Expires Service principal
03/29/10 13:07:54 03/30/10 14:07:54 krbtgt/***@PRIVAT.NET
renew until 04/05/10 13:07:54
03/29/10 13:08:04 03/30/10 14:07:54 ldap/localhost@
renew until 04/05/10 13:07:54
03/29/10 13:08:04 03/30/10 14:07:54 ldap/***@PRIVAT.NET
renew until 04/05/10 13:07:54

Hmmm - what I did next, I changed the keytab.
Removed the localhost stuff and added the ldap/***@PRIVAT.NET principal (unfortunately only)

What I'm going to do next - I'll generate a keytab file including the ldap/localhost and ldap/declips.privat.net and will try out.

I'll keep you updated.

cheers
Wolf-Agathon


----- Original Nachricht ----
Von: Guillaume Rousse <***@inria.fr>
An: openldap-***@openldap.org, ***@mit.edu
Datum: 30.03.2010 13:15
Betreff: Re: kerberized OpenLDAP
If I leave the LDAP server listening on the TCP address of localhost
(127.0.0.1) declips is cool.
If I change the entry in /etc/openldap/ldap.conf from
URI=ldap://127.0.0.1/
to
URI=ldap://10.1.1.1/
I'm facing the same issue (gss_accept_sec_context) as on levante.
Is there somebody out there who can lead me to a solution.
It seems like a name canonicalisation error for me, as you have a
multihomed setup, and result varies with the IP adress you're using.
You have to ensure the principal used in LDAP server keytab (its SPN)
matches both the ones used by client when they ask a service ticket (DNS
hostname for the IP adress used in their /etc/openldap/ldap.conf files),
and the one used by the server itself (by default, the one returned by
gethostname(), otherwise, the one specified with sasl_hostname directive
in its configuration file).
You may also check in the KDC logs what are the principal requested by
clients.
--
magnetic interference from money/credit cards
________________________________________________
Kerberos mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

Loading...