my first experiment with ldap back end

[Savitha R]

>>> On Sat, Jun 3, 2006 at  6:40 am, in message
<tx1irnj11tz.fsf at mit.edu>, Ken
Raeburn <raeburn at MIT.EDU> wrote: 
> Okay, I've spent more time than I should've needed to staring at
> certificate and ldap setup docs and getting distracted with other
> issues, but now I've got an LDAP server running and I tried creating
a
> realm.
> 
> I'm using this dbmodules section for my O- P.MIT.EDU realm:
> 
> 	ldap = {
> 		db_library = kldap
> 		ldap_ssl_port = 636
> 		ldap_kerberos_container_dn =
cn=krbcontainer,dc=mit,dc=edu
> 		ldap_servers = opteron- prime.mit.edu
> 		ldap_kdc_dn = "cn=admin,dc=mit,dc=edu"
> 		ldap_kadmind_dn = "cn=admin,dc=mit,dc=edu"
> 		ldap_service_password_file =
/home/raeburn/k5/ldap/linux/Install/etc/ldap- pw
> 	}
> 
> And ran kdb5_ldap_util, on an x86_64 Debian GNU/Linux 3.1 system:
> 
> $ env KRB5_CONFIG=`pwd`/Install/etc/krb5.conf
./Install/sbin/kdb5_ldap_util 
> - D cn=admin,dc=mit,dc=edu create 
> Password for "cn=admin,dc=mit,dc=edu": 
> Default enctype not specified: "des3- cbc- sha1" will be added as the
default 
> enctype and to the list of supported enctypes.
> Default salttype not specified: "normal" will be added as the default

> salttype and to the list of supported salttypes.
> Initializing database for realm 'O- P.MIT.EDU'
> You will be prompted for the database Master Password.
> It is important that you NOT FORGET this password.
> Enter KDC database master key: 
> Re- enter KDC database master key to verify: 
> (null): Principal add failed: Invalid syntax while adding entries to

> database
> create: Database store error while adding entries to the database

> First problem: Syntax where?  What entry?  Okay, yeah, the error
> messages from the krb5 code are pretty poor, but that's no reason to
> continue the, um, tradition.
> 

Need to look into this. Debug message from slapd would help.

> Second problem: "(null)"?  I probably missed a program- name
variable
> someplace when tweaking the error- message handling.
> 
> At this point it stopped; after 10 seconds or so I interrupt it (I'm
> running it under gdb), and it seems to be stalled in the LDAP code
> (problem #3):

We had faced this problem with 2.2.6-37.35 version of openldap. There
seems to be some issue in unbinding when multiple handles are created to
the LDAP server.  The problem disappeared when the openldap client was
upgraded.


> 
> I then try to destroy the database (ia32 binaries again), and again
I
> get the "no such object deleting database" error, and a hang.
> 
> So, going back to the info from the slapd debug output, I notice the
> search base is empty, not under dc=mit,dc=edu.  And, indeed, I find
> that if I do an ldapsearch with - b dc=mit,dc=edu, I can see all the
> principals, but if I use - b "" or supply no base, it finds nothing.
> I'm still an LDAP newbie, perhaps I've got something wrong in my
> slapd.conf file.  But shouldn't we be searching under the container
> specified in the Kerberos config file?

This problem should not occur if the realm is associated with a
subtree. While destroying a realm, the principals belonging to the realm
are deleted. The principals are searched under the subtree which is
associated with the realm. If no subtree is associated, the search base
will be "". 
If the searchbase is "", the ldap client tries to pick up the search
base from the BASE option in ldap.conf file. If the client sends the
searchbase as "", the server can be configured to take a default search
base by setting the defaultsearchbase in slapd.conf file on the server.

Regards
Savitha