MIT Kerberos and OpenLDAP

Дилян Дилян
Sun Sep 1 06:22:20 EDT 2019 

Hello,

• in the 1.17 distribution doc/admin/advanced/ldapbackend.rst file, and the latest version in git, contains “This should
in a new file named kerberos.ldif”.  Some rewording will be good.

• The files admin/advanced/ldapbackend.rst and and admin/conf_ldap.rst propose two different ways to include the
kerberos schema.  Both files stick to OpenLDAP as LDAP server.

- ldapbackend.rst, suggests creating a temporary file for the schema, /tmp/schema_convert.conf, that is then passed as
input to slaptest and the output of slaptest can then be included with ldapadd.

- In conf_ldap.rst the instruction is to "include /etc/openldap/schema/kerberos.schema" in slapd.conf.

Including kerberos.schema directly in slapd.conf does not work.  I create an input.ldif file with
  include: file:///src/krb5-1.17/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
and then call
  slapadd -n0 -F /tmp/A -l /home/openldap/etc/openldap.bak/input.ldif -v
to create the initial configuration in /tmp/A .  The output of slapadd is:

added: "cn=config" (00000001)
added: "cn=module{0},cn=config" (00000001)
added: "olcDatabase={-1}frontend,cn=config" (00000001)
added: "cn=schema,cn=config" (00000001)
added: "cn={0}core,cn=schema,cn=config" (00000001)
added: "cn={1}cosine,cn=schema,cn=config" (00000001)
added: "cn={2}inetorgperson,cn=schema,cn=config" (00000001)
added: "cn={3}nis,cn=schema,cn=config" (00000001)
5d6b958b str2entry: entry -1 has no dn
slapadd: could not parse entry (line=1019)
_##########            51.88% eta   none elapsed            none spd 463.2 k/s 
Closing DB...

The openldap distribution contains the files cosine.ldif and cosine.schema.  The kerberos distribution contains the
files kerberos.schema, kerberos.ldif and kerberos.openldap.ldif .

‘include: cosine.ldif’ does work: the attributes are preceded with “dn: cn=cosine,cn=schema,cn=config” and there are no
spaces between the attribute definitions.  In the files cosine.schema, kerberos.schema there are no dn: definitions.

How is then “include kerberos.schema” supposed to work?

• admin/conf_ldap.html proposes these access rigths:

access to attrs=userPassword,userPKCS12
    by self write
    by * auth

Providing that MIT Kerberos does nothing with these attributes, why is this recommendation here?  

• Some time passed, since I learnt the details of Kerberos V.  Is there any way that MIT Kerberos withLDAP can use the
user passwords stored in inetorgperson:userPassword attribute, instead from the krbPrincipalKey: attribute?  The use
case is to reuse an existing infrastructure, where passwords are already hashed in userPassword.

Greetings
  Дилян

More information about the krbdev mailing list