LDAP and Kerberos

28 Jan 2005

      Hi,

I'm working on better security for my Server ( SuSE Pro 9.2) and decided 
to implement Kerberos(0.6.2-8, original heimdal rpm from SuSE 9.2) and 
LDAP (openldap2-2.2.15-5). I found this excellent howto: 
http://www.opentechnet.com/auth-howto/ar01s06.html. Now I have one 
Problem. I started to write my kerberos-information into the 
LDAP-Directory under the tree ou=kerberos,cn=exaple,cn=com just described 
on 6.2.1 to 6.2.7 when I change now the kerberos settings in my krb5.conf 
to 
[kdc]
database = {
realm = HIBYTE.DE
dbname = ldap:dc=example,dc=com
mkey_file = /var/heimdal/m-key
} 
and make now a 'kadmin -l list *' the retrun is empty. In the syslog-fiel 
I see following entry:
Jan 28 17:27:44 linux slapd[17048]: conn=44 fd=13 ACCEPT from 
PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Jan 28 17:27:44 linux slapd[17048]: conn=44 op=0 BIND dn="" method=163
Jan 28 17:27:44 linux slapd[17048]: conn=44 op=0 BIND 
authcid="uidnumber=0+gidnumber=0,cn=peercred,cn=external,cn=auth@EXAPLE.COM"
Jan 28 17:27:44 linux slapd[17048]: conn=44 op=0 BIND 
dn="uidnumber=0+gidnumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL 
ssf=0
Jan 28 17:27:44 linux slapd[17048]: conn=44 op=1 SRCH 
base="dc=exaple.com,dc=de" scope=1 deref=0 
filter="(objectClass=krb5KDCEntry)"
Jan 28 17:27:44 linux slapd[17048]: conn=44 op=1 SRCH 
attr=krb5PrincipalName cn krb5PrincipalRealm krb5KeyVersionNumber krb5Key 
krb5ValidStart krb5ValidEnd krb5PasswordEnd krb5MaxLife krb5MaxRenew 
krb5KDCFlags krb5EncryptionType modifiersName modifyTimestamp creatorsName 
createTimestamp
Jan 28 17:27:44 linux slapd[17048]: conn=44 op=1 SEARCH RESULT tag=101 
err=0 nentries=0 text=
Jan 28 17:27:44 linux slapd[17048]: conn=44 op=2 UNBIND
Jan 28 17:27:44 linux slapd[17048]: conn=44 fd=13 closed

If I change krb5.conf to
[kdc]
database = {
realm = HIBYTE.DE
dbname = ldap:ou=kerberos,dc=example,dc=com
mkey_file = /var/heimdal/m-key
} 
and then make a 'kadmin -l list *' I see all userer. 

I think the Problem is the searchscope of kerberos. In the logfile the 
scope is 1, is there a possibility to change this behavior to scope=2?

Jörg

info.bogenrieder＠sytech.de

tags

participants (1)