Heimdal with OpenLDAP backend: Cannot open /usr/lib/hdb_ldap.so

Lévai László laszlo.lev.levai at gmail.com
Thu Oct 30 08:35:54 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi, try this:

[1] kill all kerberos process
[2] to start KDC: /usr/local/libexec/kdc --detach
[3] /usr/local/sbin/kadmin -l
kadmin> list -l *
[...]

            Principal: krbtgt/...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: unlimited
   Max renewable life: unlimited
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:00 UTC
             Modifier: unknown
           Attributes:
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:

            Principal: kadmin/changepw at ...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 5 minutes
   Max renewable life: 5 minutes
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:00 UTC
             Modifier: unknown
           Attributes: pwchange-service, requires-pre-auth,
disallow-proxiable, disallow-renewable, disallow-tgt-based,
disallow-postdated
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:

            Principal: kadmin/admin at ...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 hour
   Max renewable life: 1 hour
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:00 UTC
             Modifier: unknown
           Attributes: requires-pre-auth
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:

            Principal: changepw/kerberos at ...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 hour
   Max renewable life: 1 hour
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:01 UTC
             Modifier: unknown
           Attributes: pwchange-service, disallow-tgt-based
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:

            Principal: kadmin/hprop at ...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 hour
   Max renewable life: 1 hour
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:01 UTC
             Modifier: unknown
           Attributes: requires-pre-auth, disallow-tgt-based
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:

            Principal: WELLKNOWN/ANONYMOUS at ...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 hour
   Max renewable life: 1 hour
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:01 UTC
             Modifier: unknown
           Attributes: requires-pre-auth
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:

            Principal: default at ...
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 day
   Max renewable life: 1 week
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2014-10-28 11:44:01 UTC
             Modifier: unknown
           Attributes: disallow-all-tix
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
          PK-INIT ACL:
              Aliases:
[...]


2014-10-30 09:20 keltezéssel, O. Hartmann írta:
> On CURRENT (FreeBSD 11.0-CURRENT #0 r273810: Wed Oct 29 07:52:22
> CET 2014 amd64) a running net/openldap24-sasl-server system is
> installed and running and is now about to be the database backend
> for Kerberos/Heimdal. net/openldap24-sasl-server is at 
> openldap-sasl-server-2.4.40.
> 
> The database storage scheme of the LDAP backend is MDB, as it is
> highly recommended by the vendors of OpenLDAP.
> 
> Searching for suitable manuals, I found some HowTos describing how
> to setup MIT Kerberos V with an OpenLDAP backend and I started
> following the instructions there. Despite the fact that
> http://www.h5l.org/manual is dead(!) and no usefull documentation
> or any kind of a hint where to find useful documentation for
> Heimdal can be found, many of the MIT Kerberos V setup instructions
> seem to be a dead end when using Heimdal on FreeBSD. Most of the
> links on that heimdal site ends up in ERROR 404!
> 
> Well, I think my objective isn't that exotic in an more advanced
> server environment and I think since FreeBSD is supposed to be used
> in advanced server environments this task should be well known -
> but little information/documentation is available.
> 
> Nevertheless, I use the base system's heimdal implementation and I
> run into a very frustrating error when trying to run "kamdin -l":
> 
> kadmin: error trying to load dynamic module /usr/lib/hdb_ldap.so: 
> Cannot open "/usr/lib/hdb_ldap.so"
> 
> The setup for the stanza [kdc] is
> 
> [...] [kdc] database =    { 
> dbname=ldap:ou=kerberos,dc=server,dc=gdr 
> #hdb-ldap-structural-object     = inetOrgPerson mkey_file =
> /var/heimdal/m-key acl_file = /var/heimdal/kadmind.acl }
> 
> instructions taken from
> http://www.padl.com/Research/Heimdal.html.
> 
> Well, it seems that FreeBSD ships with a crippled heimdal 
> implementation. Where is /usr/lib/hdb_ldap.so?
> 
> I'm toying around this issue for several days now and it gets more
> and more frustrating, also with the perspective of having no
> running samba 4.1 server for the windows domain.
> 
> Can someone give me a hint where to find suitable FreeBSD docs for
> a task like this? I guess since FreeBSD is considered a server OS
> more than a desktop/toy OS, there must be a solution for this.
> FreeBSD ships with heimdal in the base, but it seems this heimdal
> is broken.
> 
> P.S. Please CC me. _______________________________________________ 
> freebsd-current at freebsd.org mailing list 
> http://lists.freebsd.org/mailman/listinfo/freebsd-current To
> unsubscribe, send any mail to
> "freebsd-current-unsubscribe at freebsd.org"
> 

- -- 
Tisztelettel:
Lévai László
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iF4EAREIAAYFAlRR+GEACgkQtgVHtSvpUlo8hgD/dJbCxh7dBdm1tosZ8fdmMuCf
o6fBH3629SPMpGxxon0A/jK7hheRgcJYaIRTVUbmwKm3clbkVW4smcNCf8dPrTq5
=vvoI
-----END PGP SIGNATURE-----

More information about the freebsd-current mailing list