[Date Prev][Date Next] [Chronological] [Thread] [Top]

some doubts about heimdal + ldap backend concepts

Hello everybody,

With the help of Howard Chu and some other people in this mailing
list, I managed to build and configure openLDAP as the backend
of Heimdal Kerberos, tested the authentication of W2K
client to the Heimdal Kerberos KDC and cross-realm
authentication.

Though it works, there are still some doubts about how it actually works and hopefully with the help of
this mailing list, I can get a better understanding of
what is actually happening:

1. One of the problem I found during the setup was the
failure of heimdal to contact slapd. After doing
'ldd', I found out that heimdal was pointing to a
wrong liblber and libldap. It was using libldap and
liblber in /usr/local/lib, which are obsoletes.
I have fed the following options:
--with-openldap = /usr/local (the location of my
openldap installation)
--with-openldap-lib = /usr/lib (where the right
liblber and libldap resides)
During make install, it seems to point at /usr/lib, but
unfortunataly ldd kdc still says that liblber and
libldap are using libraries in /usr/local/lib and hence heimdal can't contact openldap.
I finally created the symbolic links manually for
libldap and liblber to point to the right libraries.
This doesn't seem right to me....
Any comments guys ?

2. I used a patch for hdb-ldap.c from Alberto Patino
given in the following link:
http://www.stacken.kth.se/lists/heimdal-discuss/2003-05/msg00040.html
for SASL/EXTERNAL call to the local IPC LDAPI
interface:
[root@myserver heimdal-0.6]# patch -p1 <
/usr/local/hdbfix.diff
patching file lib/hdb/hdb-ldap.c
patch unexpectedly ends in middle of line
Hunk #4 succeeded at 1118 with fuzz 1.
[root@myserver heimdal-0.6]#
This is the first time I saw a patching result like
the above. Did the above mean everything is allright
or something is wrong ?

3. Again about the usage of SASL/EXTERNAL mechanism in
retrieving the principal's credentials:
shell% ldapsearch -Y EXTERNAL -ZZ -b
ou=KPrincipals,dc=laras,dc=com
'objectclass=krb5KDCEntry'
shell% ldapsearch -x -L -h localhost -D
cn=Manager,dc=laras,dc=com -w secret -b
ou=KPrincipals,dc=laras,dc=com
Both ways (using simple bind and SASL/EXTERNAL) work. So, SASL/EXTERNAL is not mandatory ? 
4. Is there any good documentation / howto on how to ensure the security of ldap backend ? any guidance on how to set the authorization ?
Thanks in advance,
lara


------------------------------------------------------------------------------------
La vie, voyez-vous, ca n'est jamais si bon ni si mauvais qu'on croit
- Guy de Maupassant -
------------------------------------------------------------------------------------

Do you Yahoo!?
Yahoo! Small Business $15K Web Design Giveaway - Enter today