ldap database error when creating initial stash

Todd Grayson tgrayson at cloudera.com
Thu Jun 30 11:58:39 EDT 2016 

The discussion in the mail list I sent, the error emerged as it was parsing
broken schema information in the file...

On Thu, Jun 30, 2016 at 9:55 AM, Michael Aldridge <
michael.aldridge at utdallas.edu> wrote:

> Todd,
>
> You are correct that that is in ldif format.  The ldap server gets built
> up by using the bare minimum to get it online and then all the other
> schemata and associated files are loaded in with the server online.
>
> The distro is Void Linux, with kerberos version 1.14.2.
>
> I must admit I'm struggling to see what you are seeing.  The error text
> to me sounds like it can't even find the ldap backend, much less try to
> actually talk to it.  Can you explain why you think this might be a
> schema error?
>
> --Michael
>
> On 06/30/2016 09:06 AM, Todd Grayson wrote:
> > Michael, I apologize but I'm not familiar with that kind of formatting
> > for the kerberos.schema file... the one I'm looking at looks like this
> > (segment).
> >
> > What linux distro/versions are you working over?
> >
> > That almost looks like the kind of format you would see converting the
> > .schema to .ldif or something?
> >
> > Not being able to parse the schema file is what I was pointing out for
> > that error...
> >
> > --- snip of kerberos.schema as provided in ubuntu ---
> >
> > attributetype ( 2.16.840.1.113719.1.301.4.1.1
> >                 NAME 'krbPrincipalName'
> >                 EQUALITY caseExactIA5Match
> > SUBSTR caseExactSubstringsMatch
> >                 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26)
> >
> > ...
> > ...
> >
> > objectclass ( 2.16.840.1.113719.1.301.6.16.1
> >                 NAME 'krbTicketPolicyAux'
> >                 SUP top
> >                 AUXILIARY
> >                 MAY ( krbTicketFlags $ krbMaxTicketLife $
> > krbMaxRenewableAge ) )
> >
> >
> > On Thu, Jun 30, 2016 at 12:48 AM, Michael Aldridge
> > <michael.aldridge at utdallas.edu <mailto:michael.aldridge at utdallas.edu>>
> > wrote:
> >
> >     While I have not done an in depth comparison, my schema would appear
> to
> >     just be a re-formatted version of the schema provided in the source
> >     tree.  I believe I originally obtained it from an ubuntu release
> >     slightly more than a year ago.  What is striking here is that this
> all
> >     worked less than a month ago on my test platform.
> >
> >     For the curious, here is the schema I'm using:
> >
> https://raw.githubusercontent.com/collegiumv/cv_config/master/roles/slapd/files/cn%3D%7B4%7Dkerberos.ldif
> >
> >     --Michael
> >
> >     On 06/30/2016 01:25 AM, Todd Grayson wrote:
> >     > Got schema issues?  Perhaps?
> >     >
> >     >
> http://blog.gmane.org/gmane.comp.encryption.kerberos.bugs/month=20131201
> >     >
> >     > Magic google phrase:
> >     >
> >     > openldap kerberos schema "Unable to find requested database type"
> >     >
> >     > On Thu, Jun 30, 2016 at 12:18 AM, Michael Aldridge
> >     > <michael.aldridge at utdallas.edu
> >     <mailto:michael.aldridge at utdallas.edu>
> >     <mailto:michael.aldridge at utdallas.edu
> >     <mailto:michael.aldridge at utdallas.edu>>>
> >     > wrote:
> >     >
> >     >     Greetings,
> >     >
> >     >     I hope I am emailing the correct list and if I am not then
> please accept
> >     >     my apology.  I am in the process of standing up a pair of KDCs
> and I am
> >     >     encountering this error when attempting to create the initial
> password
> >     >     stash for accessing the ldap server that backs the kerberos
> database:
> >     >
> >     >     kdb5_ldap_util: Unable to find requested database type while
> setting up
> >     >     lib handle
> >     >
> >     >     The command I ran to get that error message is:
> >     >
> >     >     sudo kdb5_ldap_util -D "cn=krbAdmService,dc=collegiumv,dc=org"
> >     >     stashsrvpw -f /var/krb5kdc/ldap.keyfile
> >     >     "cn=krbAdmService,dc=collegiumv,dc=org"
> >     >
> >     >     I have used my best google-fu but still come up empty.  I can
> see
> >     >     several people who seem to have had the same issue, but I
> cannot find a
> >     >     solution.  I appreciate any insight to this error.
> >     >
> >     >     --Michael
> >     >
> >     >     --
> >     >     Michael Aldridge
> >     >     Network Administrator
> >     >     Collegium V Honors College
> >     >     The University of Texas at Dallas
> >     >     ________________________________________________
> >     >     Kerberos mailing list           Kerberos at mit.edu <mailto:
> Kerberos at mit.edu>
> >     >     <mailto:Kerberos at mit.edu <mailto:Kerberos at mit.edu>>
> >     >     https://mailman.mit.edu/mailman/listinfo/kerberos
> >     >
> >     >
> >     >
> >     >
> >     > --
> >     > Todd Grayson
> >     > Business Operations Manager
> >     > Customer Operations Engineering
> >     > Security SME
> >     >
> >     ________________________________________________
> >     Kerberos mailing list           Kerberos at mit.edu
> >     <mailto:Kerberos at mit.edu>
> >     https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> >
> >
> >
> > --
> > Todd Grayson
> > Business Operations Manager
> > Customer Operations Engineering
> > Security SME
> >
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



-- 
Todd Grayson
Business Operations Manager
Customer Operations Engineering
Security SME

More information about the Kerberos mailing list