Re: [gentoo-server] LDAP password-hash and kerberos

[Andreas Herrmann <sma@fsmpi.uni-bayreuth.de>]

I use the same configuration: OpenLDAP, SASL and Heimdal kerberos.
Before merging the new OpenLDAP I saved the 
LDAP-Directory /var/lib/openldap-data/ with slapcat.
After restarting slapd nothing worked.

I found in my log files:
(auxpropfunc... seems to be another error. Can somebody help me?)
Sep  6 14:24:10 btfmx2 slapd[8468]: @(#) $OpenLDAP: slapd 2.2.28 (Sep  6 2005 
13:26:37) $       
root@btfmx2:/var/tmp/portage/openldap-2.2.28/work/openldap-2.2.28/servers/slapd
Sep  6 14:24:10 btfmx2 slapd[8468]: sql_select option missing
Sep  6 14:24:10 btfmx2 slapd[8468]: auxpropfunc error no mechanism available
Sep  6 14:24:10 btfmx2 slapd[8468]: _sasl_plugin_load failed on 
sasl_auxprop_plug_init for plugin: sql
Sep  6 14:24:10 btfmx2 slapd[8468]: bdb_db_init: Initializing BDB database
Sep  6 14:24:10 btfmx2 slapd[8468]: /etc/openldap/slapd.conf: line 83: 
password scheme "{CLEARTEXT}" not available
Sep  6 14:24:10 btfmx2 slapd[8468]: /etc/openldap/slapd.conf: line 83: no 
valid hashes found
Sep  6 14:24:10 btfmx2 slapd[8468]: slapd stopped.
Sep  6 14:24:10 btfmx2 slapd[8468]: connections_destroy: nothing to destroy.

This steps helped for me:
- Reemerging pam_krb5, cyrus-sasl, heimdal and nss_ldap
- Importing of the saved LDAP database with slapadd < saved_db
- Comment out the line: password scheme "{CLEARTEXT}

I also had to recompile some packages like apache, sudo...

Andreas

On Monday 12 September 2005 19:46, Robert Larson wrote:
> > I have been experiencing problems with the recent openldap upgrade from
> > 2.1 branch to 2.2.  I followed the directions in the ebuild as directed,
> > and I seem to be hung up on one (maybe 2) problem.  The new version of
> > openldap doesn't seem to know what to do with this directive:
> > password-hash {CLEARTEXT}
> >
> > I changed the directive to {SSHA}, then re-followed the steps in the
> > ebuild for rebuilding the database.  Everything seems to work fine for
> > openldap now, but I _was_ using it as the backend for kerberos
> > authentication, and kerberos doesn't like it at all:
> > kadmin -l
> > kadmin> list *
> > kadmin: opening database: ldap_sasl_bind_s: Can't contact LDAP server
> > kadmin: kadm5_get_principals: Wrong database version
>
> Is this something I should post to an OpenLDAP list?  The "password-hash
> {CLEARTEXT}" thing seems pretty standard, and is documented in openldap
> documentation and the man pages.  I would find it hard to believe that it
> just became obsolete and I am the only one with problems.
>
> Also, perhaps I am looking at the problem wrong.  Maybe it's an issue with
> kerberos in some way.  I am a little short on my understanding of how
> kerberos passwords get hashed and stored in openldap, so maybe there is an
> answer there.
>
> I am using SASL and Heimdal kerberos.  A search phrase on google, a
> direction, anything at this point would assist.
>
> Thank you for your time :)
>
> Robert
-- 
gentoo-server@gentoo.org mailing list