[krbdev.mit.edu #8832] Troubles with kdb5_ldap_util list staying silent
ÐилÑн ÐалаÑзов via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Tue Sep 10 20:12:22 EDT 2019
Tue Sep 10 20:12:22 2019: Request 8832 was acted upon.
Transaction: Ticket created by dilyan.palauzov at aegee.org
Queue: krb5
Subject: Troubles with kdb5_ldap_util list staying silent
Owner: Nobody
Requestors: dilyan.palauzov at aegee.org
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8832 >
Hello,
for a kerberos database using the LDAP backend, in kadmin.local I have created a policy.
kadmin.local: listpols
expiring
$ldapsearch -x -D A -b cn=krbContainer -w B -H ldapi://%2Fvar%2Frun%2Fldapi/ "(objectClass=krbPwdPolicy)" -LLL
does print it:
dn: cn=expiring,cn=AEGEE.ORG,cn=krbContainer
cn: expiring
objectClass: krbPwdPolicy
krbMaxPwdLife: 7776000
krbMinPwdLife: 0
krbPwdMinDiffChars: 2
krbPwdMinLength: 8
krbPwdHistoryLength: 1
krbPwdMaxFailure: 10
krbPwdFailureCountInterval: 0
krbPwdLockoutDuration: 3600
krbPwdAttributes: 0
krbPwdMaxLife: 0
krbPwdMaxRenewableLife: 0
But kdb5_ldap_util does not, whatever I do:
kdb5_ldap_util -w B1 -D A -H ldapi://%2Fvar%2Frun%2Fldapi/ list_policy -r AEGEE.ORG
→ Invalid credentials while initializing database
kdb5_ldap_util -w B -D A -H ldapi://%2Fvar%2Frun%2Fldapi/ list_policy -r AEGEE.ORG ; echo $?
→ 0
I would have expected, that just „kdb5_ldap_util list_policy” would have printed for the default realm, that happens to use the LDAP backend, the contained policies, without -w, -D and -H parameters, but it does not work.
In kdc.conf I have
[realms]
AEGEE.ORG = {
admin_keytab =/usr/var/krb5kdc/kadm5.keytab
default_principal_flags = +forwardable +proxiable +renewable
key_stash_file = /usr/var/krb5kdc/.k5.AEGEE.ORG
max_renewable_life = 100h
default_principal_flags = +renewable
database_module = LDAP
}
[dbdefaults]
ldap_kerberos_container_dn = cn=krbContainer
ldap_kdc_dn = B
ldap_kadmind_dn = B
ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash
[dbmodules]
LDAP = {
db_library = kldap
ldap_servers = ldapi://%2Fvar%2Frun%2Fldapi
}
More information about the krb5-bugs
mailing list