Problem with LDAP Referrals and Kerberos LDAP Backend
Christopher Racky
christopher.racky at web.de
Wed Oct 23 16:17:01 EDT 2013
Hello list,
I have the following problem with the latest Kerberos Version
(krb5-1.11.3) on Linux System.
I use ldap as Backend module (with Sun / Oracle LDAP Directory
Server). My setup is quite big, so we use also LDAP referrals.
This works great with the Solaris (modified) Kerberos Release, but
with Linux we have the following issue:
DB module: db_library = kldap
using LDAP hub or consumer server in "ldap_servers" (i.e. LDAP suffix
containing KRB container (realm) is read-only and LDAP server sends
referral(s) in case of LDAP MODs) does not work properly in case of
modifications (e.g. change_password or updates of attributes
(krbLoginFailedCount, ...)):
KDC or KADMIN follow the LDAP referral but do not bind (LDAP) using a
defined users (ldap_kdc_dn, ldap_kadmind_dn); instead an anonymous
LDAP-bind is performed.
Log from LDAP consumer server:
[19/Oct/2013:12:34:46 +0200] conn=11412 op=7 msgId=8 - SRCH
base="ou=people,dc=adm" scope=2
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbp
rincipal))([1]krbPrincipalName=testuser at MITREALM))"
attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey
krbMaxRenewableAge krbMaxTicke
tLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference
krbUPEnabled krbPwdPolicyReference krbPasswordExpiration
krbLastFailedAuth krbLog
inFailedCount krbLastSuccessfulAuth krbLastPwdChange
krbLastAdminUnlock krbExtraData krbObjectReferences
krbAllowedToDelegateTo"
[19/Oct/2013:12:34:46 +0200] conn=11412 op=7 msgId=8 - RESULT err=0
tag=101 nentries=1 etime=0
[19/Oct/2013:12:34:46 +0200] conn=11412 op=8 msgId=9 - SRCH
base="cn=testuser,ou=people,dc=adm" scope=0 filter="(objectClass=*)"
attrs="objectClass"
[19/Oct/2013:12:34:46 +0200] conn=11412 op=8 msgId=9 - RESULT err=0
tag=101 nentries=1 etime=0
[19/Oct/2013:12:34:46 +0200] conn=11412 op=9 msgId=10 - MOD
dn="cn=testuser,ou=people,dc=adm"
[19/Oct/2013:12:34:46 +0200] conn=11412 op=9 msgId=10 - RESULT err=10
tag=103 nentries=0 etime=0
Log from LDAP master server:
[19/Oct/2013:12:34:46 +0200] conn=44 op=-1 msgId=-1 - fd=109 slot=109
LDAPS connection from 192.168.29.118:36417 to 192.168.29.30
[19/Oct/2013:12:34:46 +0200] conn=44 op=-1 msgId=-1 - SSL 256-bit
Camellia-256
==> Here the issue (anonymou bind!!!):
[19/Oct/2013:12:34:46 +0200] conn=44 op=0 msgId=12 - BIND dn=""
method=128 version=3
[19/Oct/2013:12:34:46 +0200] conn=44 op=0 msgId=12 - RESULT err=0
tag=97 nentries=0 etime=0 dn=""
[19/Oct/2013:12:34:46 +0200] conn=44 op=1 msgId=11 - MOD
dn="cn=testuser,ou=people,dc=adm"
[19/Oct/2013:12:34:46 +0200] conn=44 op=1 msgId=11 - RESULT err=50
tag=103 nentries=0 etime=0, Insufficient 'write' privilege to the
'krbLoginFailedCount' attribute of entry
'cn=testuser,ou=people,dc=adm'.
[19/Oct/2013:12:34:46 +0200] conn=44 op=2 msgId=13 - UNBIND
Do you have any hint for me? Is this a bug of Kerberos implementation?
Best regards
Chris
References
1. mailto:krbPrincipalName=testuser at MITREALM
More information about the Kerberos
mailing list