Re: Preauth error ldap heimdal kerberos

To: Buchan Milne <bgmilne@staff.telkomsa.net>

Subject: Re: Preauth error ldap heimdal kerberos

From: Μανόλης Βλαχάκης <manolisvl18@yahoo.gr>

Date: Tue, 23 Mar 2010 18:03:32 +0200

Cc: Dan White <dwhite@olp.net>, openldap-software@openldap.org

Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type; bh=LlXyrymF2jgBLiF6e1NYeaJ1f+RaybQ73FdkEsRs53E=; b=rssjG6vY7NUEiv7S3K2LEKnkFL+pj9fXEjyyxMRKJK9ErGLtvRcH0RWvEv6TKCArOf 0EzDL6dk+wcp/eAvNepR01IYfRUEXyMReFCstEq9DxrmokghlxRcd9+3xtUnjbmiZgjW Gn0iGo9wDxNvli9WlfjyiQg2h7IKgIKDTMcFA=

Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type; b=mxRKki+kEjqni1lCHzwTyTq0qC7d/QFZULpYBycjJfxuwenEAaZlqjAwJ4f0uVNcX/ wy5zkI1UjQn2e2qPZcZr0LA8ItkXnpdT0BHptwjry99JpwSh5fe76RfzW+dAUMP/QwLy M+ttf/oDGWluP5MtzbozRFcuK14Ob2KWpyPtY=

In-reply-to: <201003231110.49423.bgmilne@staff.telkomsa.net>

References: <94f77e481003190339u2ec3d628we25acd520486a30d@mail.gmail.com> <20100319214922.GI4718@dan.olp.net> <94f77e481003220349m4753ddffkd7d7716f62ccf120@mail.gmail.com> <201003231110.49423.bgmilne@staff.telkomsa.net>

Made what?

i solved the SQL error showing on the log...i deleted the libs..

A SASL/GSSAPI bind is attempted, but you haven't yet shown whether you have a
Kerberos TGT, or valid service tickets. Please show the output of 'klist'

*klist

Credentials cache: FILE:/tmp/krb5cc_0

Principal: ldapmaster@TEIPIR.GR

Issued Expires Principal

Mar 23 17:35:52 Mar 24 03:35:52 krbtgt/TEIPIR.GR@TEIPIR.GR

Mar 23 17:36:20 Mar 24 03:35:52 ldap/proof.teipir.gr@TEIPIR.GR

Which problem are we trying to solve? The GSSAPI bind, or the access lists? If
you want GSSAPI bind, maybe you should concentrate on it first, as your access
lists may be different for the case where you have GSSAPI working vs not.

the problems i face today are

1)when i try to search

the authorizes users i created as read at the( http://www.openinput.com/auth-howto/ar01s06.html#d0e781 which followed in every step i did)i get no message asking a password and continues at ones the search

a general question ..

my project is retrieving data form an ldap tree through a PHP application with the most secure way possible

should i only authorize the admins or all the sub entries of a "leaf" on our ldap tree(user names,pass...e.t.c. of the users )

P.S.:i attach you my slap.conf so as to get the full idea of my settings,(i gan paste you my sasl configs too)

Thank you very much!!

# See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema #include /etc/openldap/schema/misc.schema #include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/java.schema include /etc/openldap/schema/krb5-kdc.schema loglevel -1 # Misc options # Maximum number of entries to return from a search operation. Useful # to prevent trolling of directory by spammers, etc. sizelimit 20 # Maximum size of the primary thread pool. threads 8 allow bind_v2 # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args sizelimit 20 # Maximum size of the primary thread pool. threads 8 allow bind_v2 # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: modulepath /usr/lib/openldap/openldap # moduleload back_shell.so # moduleload back_relay.so # moduleload back_perl.so moduleload back_passwd.so # moduleload back_null.so # moduleload back_monitor.so # moduleload back_meta.so moduleload back_hdb.so # moduleload back_dnssrv.so # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: #Mapping of SASL authentication identities to LDAP entries sasl-regexp uid=(.*),cn=(.*),cn=.*,cn=auth ldap:///dc=$2,dc=gr??sub?(|(uid=$1)(cn=$1@$2)) sasl-regexp uid=(.*),cn=.*,cn=auth ldap:///dc=teipir,dc=gr??sub?(|(uid=$1)(krb5PrincipalName=$1@TEIPIR.GR)) sasl-regexp uidnumber=0\\\+gidnumber=0,cn=peercred,cn=external,cn=auth cn=ldapmaster@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr # This is needed so sasl-regexp/GSSAPI works correctly #access to attrs=krb5PrincipalName # by anonymous auth # Kerberos attributes may only be accessible to root/ldapmaster #access to attrs=krb5KeyVersionNumber,krb5PrincipalRealm,krb5EncryptionType,krb5KDCFlags,krb5Key,krb5MaxLife,krb5MaxRenew,krb$ # by * none # We will be using userPassword to provide simple BIND access, so we don't want this to be user editable #access to attrs=userPassword #access to * # by dn="cn=M@nSpi,dc=teipir,dc=gr" write # by dn="cn=Vlachakis Emmanouil,ou=Managers,dc=teipir,dc=gr" write # by dn="cn=Oikonomakis Spyridwn,ou=Managers,dc=teipir,dc=gr" write # by users read # by * write # by * auth access to * by * write # CA signed certificate and server cert entries: TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/ssl/certs/cacert.pem TLSCertificateFile /etc/openldap/ssl/voikocrt.pem TLSCertificateKeyFile /etc/openldap/ssl/voikokey.pem # Use the following if client authentication is required TLSVerifyClient try # ... or not desired at all #TLSVerifyClient never # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! # BDB database definitions ####################################################################### database hdb suffix dc=teipir,dc=gr # <kbyte> <min> checkpoint 32 30 rootdn cn=M@nSpi,dc=teipir,dc=gr #rootdn "cn=ldapmaster@TEIPIR.GR,ou=kerberos,dc=teipir,dc=gr" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}I3uStTuu03acS7E/Wp85xNBawCqzvgtY # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 rec directory /var/lib/openldap-data # Indices to maintain #index objectClass eq #index cn,sn,uid pres,eq,approx,sub #index objectClass eq index default eq,pres directory /var/lib/openldap-data # Indices to maintain #index objectClass eq #index cn,sn,uid pres,eq,approx,sub #index objectClass eq index default eq,pres index objectClass eq index cn,sn,givenname,mail eq,pres,sub index uid,uidNumber,gidNumber index memberUid index krb5PrincipalName,krb5PrincipalRealm security simple_bind=64

References:

Preauth error ldap heimdal kerberos
- From: Μανόλης Βλαχάκης <manolisvl18@yahoo.gr>
Re: Preauth error ldap heimdal kerberos
- From: Dan White <dwhite@olp.net>
Re: Preauth error ldap heimdal kerberos
- From: Μανόλης Βλαχάκης <manolisvl18@yahoo.gr>
Re: Preauth error ldap heimdal kerberos
- From: Buchan Milne <bgmilne@staff.telkomsa.net>