Aw: Re: kerberized OpenLDAP

Wolf-Agathon Schaly schaly_wolf-agathon at arcor.de
Wed Mar 31 01:58:49 EDT 2010 

Thank you Guillaume for your helpful answer

What I've done on the LDAP server
I've generated a -randkey ldap/declips.privat.net at PRIVAT.NET - LDAP service key. Modified the relevant ldap startup file, providing the path where LDAP will find it's keytab file and restarted the entire host - just to make sure that no old TCP connection will block the TCP port 389 (LDAP) 


Checked the krb5kdc.log while user calls kinit - YES - the initial communication is fine, user gets it's TGT
When I do the ldapsearch -x on the server as expected all is fine (LDAP not yet involved)
When I do the ldapsearch -Y GSSAPI (on the server) - YES all is fine. But something is weird. 
When I've checked my klist I'll get in return 

klist 
Valid starting     Expires            Service principal
03/29/10 13:07:54  03/30/10 14:07:54  krbtgt/PRIVAT.NET at PRIVAT.NET
        renew until 04/05/10 13:07:54
03/29/10 13:08:04  03/30/10 14:07:54  ldap/localhost@
        renew until 04/05/10 13:07:54
03/29/10 13:08:04  03/30/10 14:07:54  ldap/localhost at PRIVAT.NET
        renew until 04/05/10 13:07:54

Hmmm - what I did next, I changed the keytab. 
Removed the localhost stuff and added the ldap/declips.privat.net at PRIVAT.NET principal (unfortunately only) 

What I'm going to do next - I'll generate a keytab file including the ldap/localhost and ldap/declips.privat.net and will try out.

I'll keep you updated. 

cheers 
Wolf-Agathon 


----- Original Nachricht ----
Von:     Guillaume Rousse <Guillaume.Rousse at inria.fr>
An:      openldap-software at openldap.org, kerberos at mit.edu
Datum:   30.03.2010 13:15
Betreff: Re: kerberized OpenLDAP

> Le 29/03/2010 10:26, Wolf-Agathon Schaly a écrit :
> > If I leave the LDAP server listening on the TCP address of localhost
> (127.0.0.1) declips is cool.
> > If I change the entry in /etc/openldap/ldap.conf from 
> >   URI=ldap://127.0.0.1/ 
> > to 
> >   URI=ldap://10.1.1.1/
> > I'm facing the same issue (gss_accept_sec_context) as on levante. 
> > 
> > 
> > Is there somebody out there who can lead me to a solution. 
> It seems like a name canonicalisation error for me, as you have a
> multihomed setup, and result varies with the IP adress you're using.
> 
> You have to ensure the principal used in LDAP server keytab (its SPN)
> matches both the ones used by client when they ask a service ticket (DNS
> hostname for the IP adress used in their /etc/openldap/ldap.conf files),
> and the one used by the server itself (by default, the one returned by
> gethostname(), otherwise, the one specified with sasl_hostname directive
> in its configuration file).
> 
> You may also check in the KDC logs what are the principal requested by
> clients.
> -- 
> BOFH excuse #11:
> 
> magnetic interference from money/credit cards
> 
>

More information about the Kerberos mailing list