From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.43) id 1EEuBm-0002DQ-Rn for garchives@archives.gentoo.org; Mon, 12 Sep 2005 19:42:03 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.4/8.13.4) with SMTP id j8CJXrOI008231; Mon, 12 Sep 2005 19:33:53 GMT Received: from btr0xn.rz.uni-bayreuth.de (btr0xn.rz.uni-bayreuth.de [132.180.8.26]) by robin.gentoo.org (8.13.4/8.13.4) with ESMTP id j8CJXqXH004350 for ; Mon, 12 Sep 2005 19:33:52 GMT Received: from localhost (localhost [127.0.0.1]) by btr0xn.rz.uni-bayreuth.de (8.13.1/8.13.1) with ESMTP id j8CJcGGx022632 for ; Mon, 12 Sep 2005 21:38:16 +0200 (MEST) Received: from btr0xn.rz.uni-bayreuth.de ([127.0.0.1]) by localhost (mailhub-out.uni-bayreuth.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22481-08 for ; Mon, 12 Sep 2005 21:38:12 +0200 (MEST) Received: from btfmx1.fs.uni-bayreuth.de (btfmx1.fs.uni-bayreuth.de [132.180.136.2]) by btr0xn.rz.uni-bayreuth.de (8.13.1/8.13.1) with ESMTP id j8CJcBVZ022629 for ; Mon, 12 Sep 2005 21:38:11 +0200 (MEST) Received: from btfmx2.fs.uni-bayreuth.de (btfmx2.fs.uni-bayreuth.de [132.180.136.10]) by btfmx1.fs.uni-bayreuth.de (Postfix) with ESMTP id C0A5047C57 for ; Mon, 12 Sep 2005 21:38:11 +0200 (CEST) Received: from fermi.homelinux.net (p85.212.45.84.tisdip.tiscali.de [85.212.45.84]) by btfmx2.fs.uni-bayreuth.de (Postfix) with ESMTP id 9EA6E53B45 for ; Mon, 12 Sep 2005 21:38:10 +0200 (CEST) From: Andreas Herrmann To: gentoo-server@lists.gentoo.org Subject: Re: [gentoo-server] LDAP password-hash and kerberos Date: Mon, 12 Sep 2005 21:38:09 +0200 User-Agent: KMail/1.8.1 References: <200509091107.02924.robert@sixthings.com> <200509121246.59783.robert@sixthings.com> In-Reply-To: <200509121246.59783.robert@sixthings.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-server@gentoo.org Reply-to: gentoo-server@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200509122138.10013.sma@fsmpi.uni-bayreuth.de> X-Virus-Scanned: amavisd-new at uni-bayreuth.de X-Archives-Salt: d5e20621-782d-4c96-b65a-f00b9842e190 X-Archives-Hash: 56db8f2929339cb5ccc7e0e4c7d66b6a I use the same configuration: OpenLDAP, SASL and Heimdal kerberos. Before merging the new OpenLDAP I saved the LDAP-Directory /var/lib/openldap-data/ with slapcat. After restarting slapd nothing worked. I found in my log files: (auxpropfunc... seems to be another error. Can somebody help me?) Sep 6 14:24:10 btfmx2 slapd[8468]: @(#) $OpenLDAP: slapd 2.2.28 (Sep 6 2005 13:26:37) $ root@btfmx2:/var/tmp/portage/openldap-2.2.28/work/openldap-2.2.28/servers/slapd Sep 6 14:24:10 btfmx2 slapd[8468]: sql_select option missing Sep 6 14:24:10 btfmx2 slapd[8468]: auxpropfunc error no mechanism available Sep 6 14:24:10 btfmx2 slapd[8468]: _sasl_plugin_load failed on sasl_auxprop_plug_init for plugin: sql Sep 6 14:24:10 btfmx2 slapd[8468]: bdb_db_init: Initializing BDB database Sep 6 14:24:10 btfmx2 slapd[8468]: /etc/openldap/slapd.conf: line 83: password scheme "{CLEARTEXT}" not available Sep 6 14:24:10 btfmx2 slapd[8468]: /etc/openldap/slapd.conf: line 83: no valid hashes found Sep 6 14:24:10 btfmx2 slapd[8468]: slapd stopped. Sep 6 14:24:10 btfmx2 slapd[8468]: connections_destroy: nothing to destroy. This steps helped for me: - Reemerging pam_krb5, cyrus-sasl, heimdal and nss_ldap - Importing of the saved LDAP database with slapadd < saved_db - Comment out the line: password scheme "{CLEARTEXT} I also had to recompile some packages like apache, sudo... Andreas On Monday 12 September 2005 19:46, Robert Larson wrote: > > I have been experiencing problems with the recent openldap upgrade from > > 2.1 branch to 2.2. I followed the directions in the ebuild as directed, > > and I seem to be hung up on one (maybe 2) problem. The new version of > > openldap doesn't seem to know what to do with this directive: > > password-hash {CLEARTEXT} > > > > I changed the directive to {SSHA}, then re-followed the steps in the > > ebuild for rebuilding the database. Everything seems to work fine for > > openldap now, but I _was_ using it as the backend for kerberos > > authentication, and kerberos doesn't like it at all: > > kadmin -l > > kadmin> list * > > kadmin: opening database: ldap_sasl_bind_s: Can't contact LDAP server > > kadmin: kadm5_get_principals: Wrong database version > > Is this something I should post to an OpenLDAP list? The "password-hash > {CLEARTEXT}" thing seems pretty standard, and is documented in openldap > documentation and the man pages. I would find it hard to believe that it > just became obsolete and I am the only one with problems. > > Also, perhaps I am looking at the problem wrong. Maybe it's an issue with > kerberos in some way. I am a little short on my understanding of how > kerberos passwords get hashed and stored in openldap, so maybe there is an > answer there. > > I am using SASL and Heimdal kerberos. A search phrase on google, a > direction, anything at this point would assist. > > Thank you for your time :) > > Robert -- gentoo-server@gentoo.org mailing list