kinit failure with Kerberos and LDAP backend

Berthold Cogel cogel at uni-koeln.de
Fri Oct 26 10:28:34 EDT 2012


Am 26.10.2012 11:44, schrieb Mark Pröhl:
> Am 24.10.2012 11:25, schrieb Berthold Cogel:
>> ...
>  > Master and slaves have different ACLs. The future IDM system is only
>> allowed to write to the master and the master has additional ACLs for
>> the consumer/slaves. Permissions for kadmin and kdc are all the same.
>>
>> access to dn.subtree="ou=Kerberos,dc=uni-koeln,dc=de"
>> 	by dn.exact="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" read
>> 	by dn.exact="cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de" write
>> 	by self read
>> 	by anonymous auth
>> 	by * break
>>
>> access to
>> attrs="krbPrincipalName,krbPrincipalKey,krbLastPwdChange,krbExtraData"
>> 	by dn.exact="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" read
>> 	by dn.exact="cn=kadmind,ou=Kerberos,dc=uni-koeln,dc=de" write
>> 	by self read
>> 	by * auth
>>
> 
> I cannot exactly reproduce your problem.
> 
> With these ACLs kadmin.local -q getprinc ... can only find principals 
> below ou=Kerberos. I need to extend the attribute set in your second ACL 
> rule to 
> "objectClass,krbPrincipalName,krbPrincipalKey,krbLastPwdChange,krbExtraData,entry" 
> to get it working.
> 
> To see if the problem is related to OpenLDAP ACLs you could do a test 
> with more permissive ACLs on the slave? Or send me your complete 
> slapd.conf from the slave server?
> 
> Regards,
> 
> Mark
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 


You're right... this one was missing:

access to dn.subtree="ou=People,dc=uni-koeln,dc=de"
        by dn.exact="cn=kdc,ou=Kerberos,dc=uni-koeln,dc=de" read



Regards
Berthold


More information about the Kerberos mailing list