[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

hdb-ldap backend and Samba integration

To: heimdal-discuss@sics.se
Subject: hdb-ldap backend and Samba integration
From: Laurent Pinchart <laurent.pinchart@tbox.biz>
Date: Wed, 13 Dec 2006 16:39:58 +0100
Organization: Technotrade
Sender: owner-heimdal-discuss@sics.se
User-Agent: KMail/1.9.5

Hi everybody.

Disclaimer: I'm new to Heimdal and Kerberos in general. Despite having read 
lots of documentation (down to the Kerberos RFCs), I might still ask 
newbie-level questions.

I'm trying to setup Heimdal, LDAP and Samba to play together. After a week 
spent reading various sources of documentation, and installing a Heimdal 
Kerberos KDC, I think I found the right way to go.

I installed OpenLDAP-2.3.29, Heimdal-0.7.2 and Samba. Heimdal is configured 
with the LDAP backend, which works properly. I'm able to add principals to 
the realm, things are fine so far.

To integrate Heimdal and Samba, I plan to use the smbk5pwd overlay on OpenLDAP 
which changes all the user credentials (Samba hashes and Kerberos hashes) 
itself when an password change extended operation is requested. This requires 
Heimdal principal information and Samba account information to be stored in a 
single common entry in the LDAP directory.

To achieve that, I tried to set hdb-ldap-structural-object to inetOrgPerson 
instead of the default value "account". I ran into two problems.

First, the directive should be inside the database = { ... } group according 
the documentation. However, I found out that Heimdal-0.7.2 looks in the [kdc] 
section itself. Is that a bug ?

Then, after successfully setting hdb-ldap-structural-object to inetOrgPerson 
in the configuration file, OpenLDAP complains when adding a principal.

root@kdc:~# kadmin -l
kadmin> add laurent
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
laurent@TECHNOTRADE.BIZ's Password:
Verifying - laurent@TECHNOTRADE.BIZ's Password:
kadmin: kadm5_create_principal: ldap_add_s: laurent@TECHNOTRADE.BIZ 
(dn=krb5PrincipalName=laurent@TECHNOTRADE.BIZ,ou=People,dc=technotrade,dc=biz) 
Object class violation: object class 'inetOrgPerson' requires attribute 'sn'
kadmin: adding laurent: Insufficient access to lock database

Nothing wrong there in OpenLDAP. The sn attribute is required. I'm 
unfortunately blocked by the problem.

What should I do ? Should I use another object class ? Should kadmin somehow 
set the sn attribute ? Should I use another method to add a principal ? 
Should I go a completely different way ?

I'd really appreciate any help I could get. I'm not scared of hacking on 
Heimdal, as long as the change doesn't involve a complete refactoring.

Laurent Pinchart

Follow-Ups:
- Re: hdb-ldap backend and Samba integration
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: How read Subject Alternative Name
Next by Date: Re: Cannot contact any KDC for requested realm
Prev by thread: Fwd: !
Next by thread: Re: hdb-ldap backend and Samba integration
Index(es):
- Date
- Thread