kinit failure with Kerberos and LDAP backend

Mark Pröhl mark at mproehl.net
Fri Oct 26 05:44:56 EDT 2012


Am 24.10.2012 11:25, schrieb Berthold Cogel:
> ...
 > Master and slaves have different ACLs. The future IDM system is only
> allowed to write to the master and the master has additional ACLs for
> the consumer/slaves. Permissions for kadmin and kdc are all the same.
>
> access to dn.subtree="ou=Kerberos,dc=uni-koeln,dc=de"
> 	by dn.exact="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" read
> 	by dn.exact="cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de" write
> 	by self read
> 	by anonymous auth
> 	by * break
>
> access to
> attrs="krbPrincipalName,krbPrincipalKey,krbLastPwdChange,krbExtraData"
> 	by dn.exact="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" read
> 	by dn.exact="cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de" write
> 	by self read
> 	by * auth
>

I cannot exactly reproduce your problem.

With these ACLs kadmin.local -q getprinc ... can only find principals 
below ou=Kerberos. I need to extend the attribute set in your second ACL 
rule to 
"objectClass,krbPrincipalName,krbPrincipalKey,krbLastPwdChange,krbExtraData,entry" 
to get it working.

To see if the problem is related to OpenLDAP ACLs you could do a test 
with more permissive ACLs on the slave? Or send me your complete 
slapd.conf from the slave server?

Regards,

Mark


More information about the Kerberos mailing list