[gentoo-server] LDAP password-hash and kerberos

[gentoo-server] LDAP password-hash and kerberos

[Robert Larson]

Hello,

I have been experiencing problems with the recent openldap upgrade from 2.1 
branch to 2.2.  I followed the directions in the ebuild as directed, and I 
seem to be hung up on one (maybe 2) problem.  The new version of openldap 
doesn't seem to know what to do with this directive:
password-hash {CLEARTEXT}

I changed the directive to {SSHA}, then re-followed the steps in the ebuild 
for rebuilding the database.  Everything seems to work fine for openldap now, 
but I _was_ using it as the backend for kerberos authentication, and kerberos 
doesn't like it at all:
kadmin -l
kadmin> list *
kadmin: opening database: ldap_sasl_bind_s: Can't contact LDAP server
kadmin: kadm5_get_principals: Wrong database version

Everything worked fine up to the upgrade, and I am unsure at this point on a 
direction to troubleshoot this issue further.  After looking into the 
openldap documentation it would seem that the CLEARTEXT option should still 
exist.  But, honestly, I am not sure that this is even the source of the 
problem.

Any ideas?

Thanks in advance!

Robert
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] LDAP password-hash and kerberos

[Robert Larson]

> I have been experiencing problems with the recent openldap upgrade from 2.1
> branch to 2.2.  I followed the directions in the ebuild as directed, and I
> seem to be hung up on one (maybe 2) problem.  The new version of openldap
> doesn't seem to know what to do with this directive:
> password-hash {CLEARTEXT}
>
> I changed the directive to {SSHA}, then re-followed the steps in the ebuild
> for rebuilding the database.  Everything seems to work fine for openldap
> now, but I _was_ using it as the backend for kerberos authentication, and
> kerberos doesn't like it at all:
> kadmin -l
> kadmin> list *
> kadmin: opening database: ldap_sasl_bind_s: Can't contact LDAP server
> kadmin: kadm5_get_principals: Wrong database version

Is this something I should post to an OpenLDAP list?  The "password-hash 
{CLEARTEXT}" thing seems pretty standard, and is documented in openldap 
documentation and the man pages.  I would find it hard to believe that it 
just became obsolete and I am the only one with problems.

Also, perhaps I am looking at the problem wrong.  Maybe it's an issue with 
kerberos in some way.  I am a little short on my understanding of how 
kerberos passwords get hashed and stored in openldap, so maybe there is an 
answer there.

I am using SASL and Heimdal kerberos.  A search phrase on google, a direction, 
anything at this point would assist.

Thank you for your time :)

Robert
-- 
gentoo-server@gentoo.org mailing list

Re: [gentoo-server] LDAP password-hash and kerberos

[Andreas Herrmann]

I use the same configuration: OpenLDAP, SASL and Heimdal kerberos.
Before merging the new OpenLDAP I saved the 
LDAP-Directory /var/lib/openldap-data/ with slapcat.
After restarting slapd nothing worked.

I found in my log files:
(auxpropfunc... seems to be another error. Can somebody help me?)
Sep  6 14:24:10 btfmx2 slapd[8468]: @(#) $OpenLDAP: slapd 2.2.28 (Sep  6 2005 
13:26:37) $       
root@btfmx2:/var/tmp/portage/openldap-2.2.28/work/openldap-2.2.28/servers/slapd
Sep  6 14:24:10 btfmx2 slapd[8468]: sql_select option missing
Sep  6 14:24:10 btfmx2 slapd[8468]: auxpropfunc error no mechanism available
Sep  6 14:24:10 btfmx2 slapd[8468]: _sasl_plugin_load failed on 
sasl_auxprop_plug_init for plugin: sql
Sep  6 14:24:10 btfmx2 slapd[8468]: bdb_db_init: Initializing BDB database
Sep  6 14:24:10 btfmx2 slapd[8468]: /etc/openldap/slapd.conf: line 83: 
password scheme "{CLEARTEXT}" not available
Sep  6 14:24:10 btfmx2 slapd[8468]: /etc/openldap/slapd.conf: line 83: no 
valid hashes found
Sep  6 14:24:10 btfmx2 slapd[8468]: slapd stopped.
Sep  6 14:24:10 btfmx2 slapd[8468]: connections_destroy: nothing to destroy.

This steps helped for me:
- Reemerging pam_krb5, cyrus-sasl, heimdal and nss_ldap
- Importing of the saved LDAP database with slapadd < saved_db
- Comment out the line: password scheme "{CLEARTEXT}

I also had to recompile some packages like apache, sudo...

Andreas

On Monday 12 September 2005 19:46, Robert Larson wrote:
> > I have been experiencing problems with the recent openldap upgrade from
> > 2.1 branch to 2.2.  I followed the directions in the ebuild as directed,
> > and I seem to be hung up on one (maybe 2) problem.  The new version of
> > openldap doesn't seem to know what to do with this directive:
> > password-hash {CLEARTEXT}
> >
> > I changed the directive to {SSHA}, then re-followed the steps in the
> > ebuild for rebuilding the database.  Everything seems to work fine for
> > openldap now, but I _was_ using it as the backend for kerberos
> > authentication, and kerberos doesn't like it at all:
> > kadmin -l
> > kadmin> list *
> > kadmin: opening database: ldap_sasl_bind_s: Can't contact LDAP server
> > kadmin: kadm5_get_principals: Wrong database version
>
> Is this something I should post to an OpenLDAP list?  The "password-hash
> {CLEARTEXT}" thing seems pretty standard, and is documented in openldap
> documentation and the man pages.  I would find it hard to believe that it
> just became obsolete and I am the only one with problems.
>
> Also, perhaps I am looking at the problem wrong.  Maybe it's an issue with
> kerberos in some way.  I am a little short on my understanding of how
> kerberos passwords get hashed and stored in openldap, so maybe there is an
> answer there.
>
> I am using SASL and Heimdal kerberos.  A search phrase on google, a
> direction, anything at this point would assist.
>
> Thank you for your time :)
>
> Robert
-- 
gentoo-server@gentoo.org mailing list