Problem with LDAP Referrals and Kerberos LDAP Backend

Christopher Racky christopher.racky at web.de
Wed Oct 23 16:17:01 EDT 2013 

   Hello list,


   I have the following problem with the latest Kerberos Version
   (krb5-1.11.3) on Linux System.

   I use ldap as Backend module (with Sun / Oracle LDAP Directory
   Server). My setup is quite big, so we use also LDAP referrals.

   This works great with the Solaris (modified) Kerberos Release, but
   with Linux we have the following issue:


   DB module: db_library = kldap

   using LDAP hub or consumer server in "ldap_servers" (i.e. LDAP suffix
   containing KRB container (realm) is read-only and LDAP server sends
   referral(s) in case of LDAP MODs) does not work properly in case of
   modifications (e.g. change_password or updates of attributes
   (krbLoginFailedCount, ...)):

   KDC or KADMIN follow the LDAP referral but do not bind (LDAP) using a
   defined users (ldap_kdc_dn, ldap_kadmind_dn); instead an anonymous
   LDAP-bind is performed.

   Log from LDAP consumer server:

   [19/Oct/2013:12:34:46 +0200] conn=11412 op=7 msgId=8 - SRCH
   base="ou=people,dc=adm" scope=2
   filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbp

   rincipal))([1]krbPrincipalName=testuser at MITREALM))"
   attrs="krbPrincipalName krbCanonicalName objectClass krbPrincipalKey
   krbMaxRenewableAge krbMaxTicke

   tLife krbTicketFlags krbPrincipalExpiration krbTicketPolicyReference
   krbUPEnabled krbPwdPolicyReference krbPasswordExpiration
   krbLastFailedAuth krbLog

   inFailedCount krbLastSuccessfulAuth krbLastPwdChange
   krbLastAdminUnlock krbExtraData krbObjectReferences
   krbAllowedToDelegateTo"

   [19/Oct/2013:12:34:46 +0200] conn=11412 op=7 msgId=8 - RESULT err=0
   tag=101 nentries=1 etime=0

   [19/Oct/2013:12:34:46 +0200] conn=11412 op=8 msgId=9 - SRCH
   base="cn=testuser,ou=people,dc=adm" scope=0 filter="(objectClass=*)"
   attrs="objectClass"

   [19/Oct/2013:12:34:46 +0200] conn=11412 op=8 msgId=9 - RESULT err=0
   tag=101 nentries=1 etime=0

   [19/Oct/2013:12:34:46 +0200] conn=11412 op=9 msgId=10 - MOD
   dn="cn=testuser,ou=people,dc=adm"

   [19/Oct/2013:12:34:46 +0200] conn=11412 op=9 msgId=10 - RESULT err=10
   tag=103 nentries=0 etime=0

   Log from LDAP master server:

   [19/Oct/2013:12:34:46 +0200] conn=44 op=-1 msgId=-1 - fd=109 slot=109
   LDAPS connection from 192.168.29.118:36417 to 192.168.29.30

   [19/Oct/2013:12:34:46 +0200] conn=44 op=-1 msgId=-1 - SSL 256-bit
   Camellia-256

   ==> Here the issue (anonymou bind!!!):

   [19/Oct/2013:12:34:46 +0200] conn=44 op=0 msgId=12 - BIND dn=""
   method=128 version=3

   [19/Oct/2013:12:34:46 +0200] conn=44 op=0 msgId=12 - RESULT err=0
   tag=97 nentries=0 etime=0 dn=""

   [19/Oct/2013:12:34:46 +0200] conn=44 op=1 msgId=11 - MOD
   dn="cn=testuser,ou=people,dc=adm"

   [19/Oct/2013:12:34:46 +0200] conn=44 op=1 msgId=11 - RESULT err=50
   tag=103 nentries=0 etime=0, Insufficient 'write' privilege to the
   'krbLoginFailedCount' attribute of entry
   'cn=testuser,ou=people,dc=adm'.

   [19/Oct/2013:12:34:46 +0200] conn=44 op=2 msgId=13 - UNBIND


   Do you have any hint for me? Is this a bug of Kerberos implementation?

   Best regards

   Chris

References

   1. mailto:krbPrincipalName=testuser at MITREALM

More information about the Kerberos mailing list