kinit failure with Kerberos and LDAP backend
Mark Pröhl
mark at mproehl.net
Fri Oct 26 05:44:56 EDT 2012
Am 24.10.2012 11:25, schrieb Berthold Cogel:
> ...
> Master and slaves have different ACLs. The future IDM system is only
> allowed to write to the master and the master has additional ACLs for
> the consumer/slaves. Permissions for kadmin and kdc are all the same.
>
> access to dn.subtree="ou=Kerberos,dc=uni-koeln,dc=de"
> by dn.exact="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" read
> by dn.exact="cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de" write
> by self read
> by anonymous auth
> by * break
>
> access to
> attrs="krbPrincipalName,krbPrincipalKey,krbLastPwdChange,krbExtraData"
> by dn.exact="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" read
> by dn.exact="cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de" write
> by self read
> by * auth
>
I cannot exactly reproduce your problem.
With these ACLs kadmin.local -q getprinc ... can only find principals
below ou=Kerberos. I need to extend the attribute set in your second ACL
rule to
"objectClass,krbPrincipalName,krbPrincipalKey,krbLastPwdChange,krbExtraData,entry"
to get it working.
To see if the problem is related to OpenLDAP ACLs you could do a test
with more permissive ACLs on the slave? Or send me your complete
slapd.conf from the slave server?
Regards,
Mark
More information about the Kerberos
mailing list