logo_kerberos.gif

User talk:Haoqili

From K5Wiki
Jump to: navigation, search

Thanks to Tom, Zhanna, Greg, and Will for helping me find the solutions.
我能, 我能!

Contents

Things to do

  • figure out why:
My password for ldap is "a" I have tried both upper and lower cases, but I always get:

$ /usr/local/sbin/kdb5_ldap_util -D cn=admin,dc=example,dc=com -w a -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s
kdb5_ldap_util: Invalid credentials while initializing database

and this:

ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL =b dc=example,dc=com
Enter LDAP Password: 
ldap_bind: Invalid credentials (49)
  • make keystash in mkm py the right place

Kerberos Little Bugs I've encountered and fixed (started loggin since Jun 24th).

  • When trying to kinit username
ERROR: kinit: Cannot contact any KDC for realm [your realm fqdn] while getting initial credentials
SOLUTION: make sure KDC is running. /usr/local/sbin/krb5kdc
SOLUTION: 1. check log file. I looked in /var/log/auth.log. The bottom of it says: Cannot create reply cache file /var/tmp/krb5kdc_rcache: File exits. 2. sudo rm /var/tmp/krb5kdc_rcache.
  • Can't start krb5kdc and in auth.log it says:
ERROR: Address already in use - Cannot bind server socket to port [#] address [IP address]
ERROR: <open file '<fdopen>', mode 'rb' at 0x9a38660>
SOLUTION: 1. see if it is true that port [#] is in use by netstat -nap | grep [#] (I also did pgrep -x krb5kdc). 2. kill the process: pkill -x krb5kdc. note the "-x" is for matching exactly the process "krb5kdc".
  • When changing password 'kpasswd', Cannot contact any KDC for realm [your realm fqdn]
  • and/or Can't start kadmind (know because echo $? = 1). The last chunk of auth.log says:
ERROR:
kadmind[6924]: No dictionary file specified, continuing without one.
kadmind[6924]: setting up network...
kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 0.0.0.0
kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked
kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address ::
kadmind[6924]: skipping unrecognized local address family 17
kadmind[6924]: skipping unrecognized local address family 17
kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 192.168.165.145
kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked
kadmind[6924]: Permission denied - Cannot bind TCP server socket on ::.464
kadmind[6924]: Permission denied - Cannot bind RPC server socket on 0.0.0.0.749
kadmind[6924]: set up 0 sockets
kadmind[6924]: no sockets set up?
Reason (provided by tlyu): It is trying to bind to a privileged port. you need to give it a different port number. actually, two different port numbers: one for password changing and one for normal kadmin.
SOLUTION:
In kdc.conf inserted the last two lines here
kdc_ports = 8888
kpasswd_port = 8887
kadmind_port = 8886
In krb5.conf modify/insert the lines:
admin_server = yourComputerName.domain:8886
kpasswd_server = yourComputerName.domain:8887
  • Purge key (kdb5_util purge_mkeys) gives an error
ERROR:
kdb5_util: Invalid argument while updating actkvno data for master principal entry
SOLUTION:
#you must activate the keys that have not been "used" like this:
kdb5_util use_mkey kvno [time]
#i.e. kdb5_util use_mkey 2 'now+2days'
  • when running a kadmin command. Runs into operation requires xx privilege error
ERROR:
$ kadmin -p haoqili/admin -w test123 -q 'listprincs'
Authenticating as principal haoqili/admin with password.
get_principals: Operation requires ``list'' privilege while retrieving list.
SOLUTION:
I didn't create my acl file yet. In kdc.conf, I have specified acl_file = /home/haoqili/kdcfiles/kadm5.acl and now I need to create the kadm5.acl
#kadm5.acl, setting up my "admin" principal with all rights, i.e. *
haoqili/admin *
Also, before I created the kadm5.acl, I used echo $? to check the command. However, it gave me a 0 even though there were stderr. Tom says: "kadmin is meant to be an interactive program, so exit status might not be as meaningful."
P.S. I later changed the line in my acl file to be */admin * to allow others

Python Bugs I've encountered and fixed

  • When talking to the terminal shell, a command (in my case, kdbt_util add_mkey) asks for password twice (second time is confirmation). I first tried:
p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
(out, err) = p.communicate('password')
(out2, err2) = p.communicate('password')
When I ran it, I got a chunk of error that ends with: ValueError: I/O operation on closed file. So what happens is that communicate closes the pipe, it breaks (even if it only runs once).
Solution code:
p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
p.stdin.write('password'+'\n')
p.stdin.write('password'+'\n')
Note don't forget the new line at the end.

Tips. Useful little things to know

Kerberos

  • Good link
  • kadmin.local -q 'modprinc +needchange [princname]' , the flag needchange forces the principal to change its password upon kinit.
  • kadmin.local -q 'modprinc -policy [policyname] [princname]' Sets up a policy for the principal. This "policy" can store previous passwords and ensures that new passwords are not used before.
  • There is a bug in the code 6507 kdb5_util update_princ_encryption uses latest mkey instead of mkey
  • AES has replaced Triple DES but there are still places taht have Triple DES set as the default (such as in klist -ekt [path of stash, such as /home/haoqili/kdcfiles/keyStashFile])
  • Test date. Navigate to src/kadmin/cli
    • delete 2nd argument in main of getdate.y
    • rm getdate.c
    • make getdate.c
    • gcc -o datetest -DTEST getdate.c -I../../include
    • ./datetest
  • kadmind -nofork is useful in python because it tells it to wait first so that later processes can happen later and don't have to get timed out.
l0b = self.parentpath+'kadmind -nofork'
pl0b = Popen(l0b.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
print "kadmind -nofork"
while (True):
l = pl0b.stderr.readline()
if l.find("starting") > -1: #for kadmind: starting ...
print l.strip()
break

Ubuntu

  • Change computer name: gksudo gedit /etc/hostname
  • Change Colors
    • Change color of background is easy. Just go to "Edit" and "Profile Preferences"
    • Change color of the prompt line is more difficult. Here is a good guide, but it is in a lot more detail than I needed. You can read that if you don't want the prompt color to be green or want to know how it works. But most basically:
      1. Navigate to home. cd ~/
      2. vim .bashrc
      3. Un-comment: #force_color_prompt=yes by deleting the #
      4. Open a new terminal to see the result
    • I have:
# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
force_color_prompt=yes

if [ -n "$force_color_prompt" ]; then
    if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
        # We have color support; assume it's compliant with Ecma-48
        # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
        # a case would tend to support setf rather than setaf.)
        color_prompt=yes
    else
        color_prompt=
    fi
fi

# ANSI color codes
RS="\[\033[0m\]"    # reset
HC="\[\033[1m\]"    # hicolor
UL="\[\033[4m\]"    # underline
INV="\[\033[7m\]"   # inverse background and foreground
FBLK="\[\033[30m\]" # foreground black
FRED="\[\033[31m\]" # foreground red
FGRN="\[\033[32m\]" # foreground green
FYEL="\[\033[33m\]" # foreground yellow
FBLE="\[\033[34m\]" # foreground blue
FMAG="\[\033[35m\]" # foreground magenta
FCYN="\[\033[36m\]" # foreground cyan
FWHT="\[\033[37m\]" # foreground white
BBLK="\[\033[40m\]" # background black
BRED="\[\033[41m\]" # background red
BGRN="\[\033[42m\]" # background green
BYEL="\[\033[43m\]" # background yellow
BBLE="\[\033[44m\]" # background blue
BMAG="\[\033[45m\]" # background magenta
BCYN="\[\033[46m\]" # background cyan
BWHT="\[\033[47m\]" # background white

if [ "$color_prompt" = yes ]; then
    # PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
    PS1='${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\h\[\033[00m\]:\[\033[01;32m\]\w\[\033[00m\]\$ '

    #PS1="[ ${debian_chroot:+($debian_chroot)}\u: \w ]\\$ "
    #PS2="> "
    #PS1=" $FRED${debian_chroot:+($debian_chroot)}"
    #PS2="> "
else
    PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt
  • Change root password:
    • Reboot
    • ESC to Recovery Mode
    • (wait)
    • click: root Drop to root shell prompt
    • ls /home
    • passwd username
    • change your password
    • exit
    • click: resume
  • The Caps Lock light is reversed.
Reset Caps Lock: xmodmap -e "remove Lock = Caps_Lock" and then xmodmap -e "add Lock = Caps_Lock"

Shell

The following characters have special meanings in grep or egrep:
In egrep:
| ^ $ . * + ? ( ) [ { } \
In grep:
^ $ . * \( \) [ \{ \} \
  • 0 = STDIN, 1 = STDOUT, 2 = STDERR. Like blah 2> /dev/null puts blah's STDERR into /dev/null
  • > overwrites, >> appends
not see what's writing: ksh filename > writefilename 2>&1, the 2>&1 writes the errors as well
see what's writing: ksh filename 2>&1 | tee writefilename
  • ksh: typeset'ing vars in a function makes those vars local to the function.
  • Avoid typing in sudo password everytime:
    Edit /etc/sudoers such that under the line root ALL=(ALL) ALL, this line is added: [username] ALL=(ALL) ALL
  • Add a path as the first option in a path
    e.g. slapd's path. Currently when you do echo $PATH, /usr/local/sbin shows in front. I want to add /usr/local/libexec.
export PATH=/usr/local/libexec:$PATH
Now I have /usr/local/libexec as the first option under echo $PATH
  • pkill doesn't always work. Use pkill -9 or pkill -15 instead. Same with sudo kill.
  • A Debugger! :D gdb [command]

Python


Common Stuff

  • Cannot do [print line for line in linelist] must have a function that prints the line, call it, printl(), and do [printl(line) for line in linelist]

More Specific Stuff

  • p = Popen('blah', stdin=PIPE, stdout=PIPE, stderr=PIPE)
(out, err) = p.communicate('inputThing\n') <-- don't forget the return "\n" at the end!
  • When you're doing a bunch of p=Popen('shell command') be careful because Popen starts a new branch so the next Popen might start without the previous one having completed. To fix this problem, put in:
if int(p.wait()) != 0: #meaning that it's not executed
print "error message"
exit
  • Two ways to display outputs after Popen( a command that has to get into something, in my case, getting into kadmin.local) 06262009
Way 1:
p = Popen(['commannd', 'all', 'in', 'one', 'line'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local', '-q', 'listprincs']
if int(p.wait()) != 0:
print p.stdout.readlines()
Way 2:
p = Popen(['command', 'front', 'chunk'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local']
(out, err) = p.communicate('rest of command') #e.g. 'listprincs'
print out
  • Not type in a chunk of common code every time, i.e.
p = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
This can be changed to:
s = {stdin:PIPE, stdout=PIPE, stderr=PIPE}
p = Popen(cmd, **s)
  • For putting in a shell command directly, can turn shell=True. Note the command here can be a single line of string, not split up.
p = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
  • The p.stdout.readlines() can be read only once
  • Print current time in python:
from time import strftime
print "current time: "+strftime("%Y-%m-%d %H:%M:%S")
Output: current time: 2009-07-06 22:00:54
  • Sleep for 7 seconds.
import time
time.sleep(7)
  • Popen( env=blah ) this argument only needs to be specified when the environment is changing
  • To terminate a while loop after 3 seconds do: while time.clock() < 3: blah remember to import time
  • Kadmin's wait() number (exit number) failed to point out that there is an error. The chunk below was generated when I tested it manually. It clearly pointed out that the acl file is missing (documented before).
$ kadmin -p haoqili/admin -w test123 -q 'getprinc test'
Authenticating as principal haoqili/admin with password.
get_principal: Operation requires ``get'' privilege while retrieving "test@K.MIT.EDU".
What I saw in the output of the test was just the line "Authenticating ...", because wait() = 0, I only printed out stdout. However the last line was in the stderr. So I asked Tom if the existence of a stderr message is a better indicator of the success/failure of a command compared to the exit number. The answer is "not necessarily".
Tom: Some programs write things to stderr even when there's not an error.
Me: why would they do that?
Tom: various reasons. sometimes prompts are written to stderr so they won't end up in redirected output by default.
  • Ordering of stdout/stderr messages:
Tom: if you use separate pipes for stderr and stdout, you may get the relative ordering of the messages mixed up if you print all stdout, then print all stderr.
Me: right now I have stdin=PIPE, stdout=PIPE, stderr=PIPE. Is this separate pipes or the same pipe?
Tom: separate pipes, i think.
Tom: so to get program output in order, i would make stderr=STDOUT when creating the subprocess, and check the value of wait()
p = Popen('/bin/sh stdouterr.sh', shell=True, stdin=PIPE, stdout=PIPE,
         stderr=PIPE)

This gives all outputs together, and all errors together

= = = 

p = Popen('/bin/sh stdouterr.sh', shell=True, stdin=PIPE, stdout=PIPE,
         stderr=STDOUT)

This gives the outputs and errors in the order they come.

MKM Errors Put Aside

  • Adding the 1058th master key gives a memory error
  • getdate.y has problems:
/trunk/src/kadmin/cli$ ./datetest
Enter date, or blank line to exit.
> 6 months
Sat Jan 9 14:22:36 2010
> 12/31/2009
Wed Dec 30 23:00:00 2009
> 07/10/2009
Thu Jul 9 23:00:00 2009
> 01/01/2009
Wed Dec 31 23:00:00 2008
> 01/01/2009 00:00:00
Wed Dec 31 23:00:00 2008
  • Phantom list_mkey error after adding -e aes128-cts-hmac-sha1-96. The error went away after I ran the ksh equivalent of the python test. I don't know why it went away because everything seemed to be the same.
for lines 283-289:
print "Testing add_mkey with aes128 enctype
=============================================="
kdb5_util add_mkey -e aes128-cts-hmac-sha1-96 <<EOF
abcde
abcde
EOF
kdb5_util list_mkeys
print "Testing add_mkey with aes128 enctype done
=============================================="
The list_mkeys at the bottom is giving the following error:
kdb5_util: Unable to decrypt latest master key with the provided master key
while getting master key list
kdb5_util: Warning: proceeding without master key list
kdb5_util: master keylist not initialized

Getting LDAP Running

configure kerberos with LDAP backend

Nice looking LDAP tutorial

  • (DON'T FORLLOW THESE STEPS, WILL HAVE CONFLICTS, follow Greg's steps) I followed the directions on this website http://openldap.org/doc/admin24/quickstart.html
  • Install BerkeleyDB
    • Download berkeleydb4.7
    • cd to folder
    • cd build_unix (on my Ubuntu)
    • ../dist/configure
    • make
    • sudo make install
  • Install Open LDAP
    • ./configure (fails)
ERROR: DBD/HDB:BerkeleyDB not available
Fixed: CPPFLAGS="-I/usr/local/BerkeleyDB4.7/include" then export CPPFLAGS
  • ./configure
  • make depend
  • make (fails)
ERROR: getpeereid.c:65: error: storage size of ‘peercred’ isn’t known
FIXED: CPPFLAGS=-D_GNU_SOURCE then export CPPFLAGS
  • make
  • make test (takes a while)
  • sudo make install (installed in /usr/local/etc/openldap)
  • Change configuration file at /usr/local/etc/openldap/slapd.conf
  • <my-domain> <-- example
  • <com> <-- com
  • password is still "secret"
  • cn is still "Manager"
  • Start SLAPD: sudo /usr/local/libexec/slapd
    • Check if it works by a search: ldapsearch blah
  • Add entries. Consult link above.

What I should have done. Faster, simpler. Directions given by Greg Hudson.
1. sudo apt-get install slapd (for server program)
2. sudo apt-get install ldap-utils (for ldapsearch)
3. copy src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema into /etc/ldap/schema
4. In /etc/default/slapd, change SLAPD_SERVICES="ldapi:///", to restrict access to the local machine
5. ldapsearch test:

ldapsearch -H ldapi:/// -x -W -D cn=Manager,dc=example,dc=com -LLL -b dc=example,dc=com
-H ldapi:/// indicate the URI for the LDAP server
-x simple authentication
-W password prompt
-D cn=Manager,dc=example,dc=com specify the "bind DN", like a username
-LLL shortens output
-b specify base of query to restrict the scope of the query

6. sudo apt-get install libldap2-dev
7. Modify kdc.conf to include:

[dbmodules]
LDAP = {
     db_library = kldap
     ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
     ldap_kdc_dn = cn=admin,dc=example,dc=com
     ldap_kadmind_dn = cn=admin,dc=example,dc=com
     ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash
     ldap_servers = ldapi:///
}

8. Build krb5 from source with a different configure command: ./configure --with-ldap
9. Create your database not with kdb5_util, but with kdb5_ldap_util like this: kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s

@ end of step 6. I thought I didn't have to do steps 1 and 2 since I installed the whole thing. However, I got stuck on step 4 because /etc/default/slapd doesn't exist. So I tried to install 1 and 2, but got the following
ERROR:

$ sudo apt-get install slapd
Reading package lists... Done
Building dependency tree       
Reading state information... Done
slapd is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 169 not upgraded.
1 not fully installed or removed.
After this operation, 0B of additional disk space will be used.
Setting up slapd (2.4.15-1ubuntu3) ...
  Creating initial slapd configuration... Loading the initial configuration from the ldif file (/tmp/slapd_init.ldif.FZDOiAlAPo) failed with the following
error while running slapadd:
    str2entry: invalid value for attributeType objectClass #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38)
    slapadd: could not parse entry (line=16)
dpkg: error processing slapd (--configure):
 subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
 slapd
E: Sub-process /usr/bin/dpkg returned an error code (1)

It's okay, the previously missing /etc/default/slapd now exists so that I can do step 4.

SOLUTION: I fixed this error by removing a slapd to avoid conflicts in the slapd already installed from source: sudo apt-get remove slapd Note how in the top of the error it says that whatever I was installing "is already the newest version", but there was the rest of the stuff because of the slapd conflict.

Step 5 then failed with error:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

It can be fixed if slapd is started more specifically: sudo /usr/local/libexec/slapd -h ldapi:///

Everything was a mess! But here are some of things I did despite of the mess

  • Zhanna got slapd and ldapsearch working on my computer. I have not been able to replicate it. But here are the steps she used.
    1. Kill an existing slapd: ps -ef | grep slapd and then sudo kill -9 [the left side number]
    2. Set up new slapd: sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:667 (667, a bigger number works, 389 a smaller number wouldn't work.
    3. Test if slapd is running by doing a search: ldapsearch -H ldapi:/// -x -D cn=Manager,dc=example,dc=com -w secret

Adding LDAP Entries

  • Then I created 2 new LDAP entries:
    • Create this file named example.ldif
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: HaoQiCompany
dc: example

dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
    • Note that the objectclass names cannot be changed, they have been predetermined
    • Add them: ldapadd -H ldapi:/// -x -D "cn=Manager,dc=example,dc=com" -w secret -f example.ldif
    • Search them: <code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'
      result:
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: HaoQiCompany
dc: example

# Manager, example.com
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
  • An important thing I learned is that I can't randomly put entries. The object classes are all specified and so are the other entries that comes with each object class. For example, the objectclass "person" must have "objectclass", "sn" for surname, and "cn" for common name. Objectclass "person" may also have these entries: "description", "seeAlso", "telephoneNumber", and "userPassword."
  • With this knowledge, I made example3.ldif
dn: cn=Zhanna Tsitkova,dc=example,dc=com
objectclass: person
cn: Zhanna
cn: Zhanna Tsitkova
sn: Tsitkova
description: kind boss
telephoneNumber: 6171231234
  • Add this entry: ldapadd -H ldapi:/// -x -w secret -D "cn=Manager,dc=example,dc=com" -f example3.ldif
  • Now, the search result of all object classes look like this:
    ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: dcObject
objectClass: organization
o: HaoQiCompany
dc: example

# Manager, example.com
dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager

# Zhanna Tsitkova, example.com
dn: cn=Zhanna Tsitkova,dc=example,dc=com
objectClass: person
cn: Zhanna
cn: Zhanna Tsitkova
sn: Tsitkova
description: kind boss
telephoneNumber: 6171231234

# HaoQi Li, example.com
dn: cn=HaoQi Li,dc=example,dc=com
objectClass: person
cn: HaoQi
cn: HaoQi Li
sn: Li
description: happy intern
telephoneNumber: 7031231234

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 4
  • Search for just "person" object class: ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=person)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=person)
# requesting: ALL
#

# Zhanna Tsitkova, example.com
dn: cn=Zhanna Tsitkova,dc=example,dc=com
objectClass: person
cn: Zhanna
cn: Zhanna Tsitkova
sn: Tsitkova
description: kind boss
telephoneNumber: 6171231234

# HaoQi Li, example.com
dn: cn=HaoQi Li,dc=example,dc=com
objectClass: person
cn: HaoQi
cn: HaoQi Li
sn: Li
description: happy intern
telephoneNumber: 7031231234

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2
  • Search for just one entry: ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' 'cn=HaoQi'. Note that the "cn=HaoQi" is not in the first set of single quotes.
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: cn=HaoQi
# requesting: ALL
#

# HaoQi Li, example.com
dn: cn=HaoQi Li,dc=example,dc=com
objectClass: person
cn: HaoQi
cn: HaoQi Li
sn: Li
description: happy intern
telephoneNumber: 7031231234

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Starting LDAP

Starting from a specific IP address and port number:

sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:677 Note that it's "ldap", not "ldapi." The port number 677 was chosen arbitrarily.
To search to check that it works:
ldapsearch -h 127.0.0.1 -p 677 -x -D cn=manager,dc=example,dc=com -w secret

Starting from /:

sudo /usr/local/libexec/slapd -h ldapi:/// Note that it's "ldapi", not "ldap"
To search to check that it works:
ldapsearch -H ldapi:/// -x -D cn=manager,dc=example,dc=com -w secret

To kill a slapd and start again:

ps -ef | grep slapd look for the left most number
sudo kill -9 [left most number]

Things I had to fix

  • I first did step 9 without doing step 8. So I got an kdb5_ldap_util not found error, but I was recommended by the computer to install krb5-kdc-ldap. DON'T DO THAT! because it is not what I want for the krb5 development, I want it to be running from the build (step 8). So I had to do a sudo apt-get remove krb5-kdc-ldap. In the end, the kdb5_ldap_util we want should be in /usr/local/sbin/kdb5_ldap_util
  • @ step 8. while doing ./configure --with-ldap it stopped with this:
ERROR: configure: error: libldap not found or missing ldap_init.
Greg told me to check if /usr/lib/libldap.so exists, and it does. Then I looked at config.log from the ./configure: Here are chunks of it, found in the middle of the log:
configure:24570: checking for ldap_init in -lldap
configure:24605: gcc -o conftest -g -O2 conftest.c -lldap -lresolv >&5
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_pvt_sb_do_write@OPENLDAP_2.4_2'
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_free@OPENLDAP_2.4_2'
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_skip_data@OPENLDAP_2.4_2'
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_reset@OPENLDAP_2.4_2'
... 50 more lines like so ...
/usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_sockbuf_alloc@OPENLDAP_2.4_2'
collect2: ld returned 1 exit status
configure:24612: $? = 1
configure: failed program was:
| /* confdefs.h. */
| #define PACKAGE_NAME "Kerberos 5"
| #define PACKAGE_TARNAME "krb5"
| #define PACKAGE_VERSION "1.7-prerelease"
| #define PACKAGE_STRING "Kerberos 5 1.7-prerelease"
| #define PACKAGE_BUGREPORT "krb5-bugs@mit.edu"
| #define STDC_HEADERS 1
| #define HAVE_SYS_TYPES_H 1
| #define HAVE_SYS_STAT_H 1
| #define HAVE_STDLIB_H 1
... continues ...
| #define HAVE_GETHOSTBYNAME_R 1
| #define HAVE_GETSERVBYNAME_R 1
| #define HAVE_GMTIME_R 1
| #define HAVE_LOCALTIME_R 1
| #define HAVE_LDAP_H 1
| #define HAVE_LBER_H 1
| /* end confdefs.h. */
|
| /* Override any GCC internal prototype to avoid an error.
| Use char because int might match the return type of a GCC
| builtin and then its argument prototype would still apply. */
| #ifdef __cplusplus
| extern "C"
| #endif
| char ldap_init ();
| int
| main ()
| {
| return ldap_init ();
| ;
| return 0;
| }
configure:24633: result: no
configure:24638: error: libldap not found or missing ldap_init
So Greg says: "I think maybe your OpenLDAP source installation in /usr/local/lib is messing up the system library." So it might be better if I start a new Ubuntu virtual machine without being stupid and compiling the entire OpenLDAP.
NOTE: One of the solutions is to change the default configuration from /usr/local/lib to /usr/lib   in /etc/ld.so.conf.d/libc.conf. Then run /sbin/ldconfig. 

Starting Over

I ran into some more troubles. So I decided to start again, with a brand new virtual machine

The bolded lines are for ldap. The non-bolded ones are for general make krb5 from source

  • To start again if you screwed up anywhere, do make distclean if you want to remove "make" or make clean if you don't want to remove "make" (sometimes you have to do rm config.cache), and then proceed to util/reconf
  • Stuff you need to install for the krb5 build
    • subversion: sudo apt-get install subversion
    • autoconf: sudo apt-get install autoconf
    • sudo apt-get install ncurses-dev
    • yacc: sudo apt-get install byacc
  • svn checkout svn://anonsvn.mit.edu/krb5/trunk
  • Navigate to trunk/src
  • util/reconf
  • 1: sudo apt-get install slapd
  • 2: sudo apt-get install ldap-utils
  • 3: Navigate to /etc/ldap/scheme and then do: sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
  • 4: sudo vim /etc/default/slapd and change SLAPD_SERVICES to: SLAPD_SERVICES="ldapi:///" to restrict access to the local machine
  • 5: Test to see if it works by: ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL -b dc=example,dc=com
  • 6: sudo apt-get install libldap2-dev
  • 8: ./configure --with-ldap Skipping step 7 intentionally. It can be done later. If you are not doing ldap stuff, just do ./configure
  • make
  • sudo make install

(I didn't do make check)

  • 7: Change kdc.conf according to 7. above
  • 9: To run it: sudo /usr/local/sbin/kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s

Figuring out stuff

/etc/ldap/schema/kerberos.schema
  • Create this file:
sudo vim /etc/ldap/schema/schema_testing.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/collective.schema
include /etc/ldap/schema/corba.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/duaconf.schema
include /etc/ldap/schema/dyngroup.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/java.schema
include /etc/ldap/schema/kerberos.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/openldap.schema
include /etc/ldap/schema/ppolicy.schema
  • Make the temp dir to hold output:
mkdir /tmp/ldifoutput
  • Convert schema --> LDIF with slaptest:
slaptest -f schema_testing.conf -F /tmp/ldifoutput
  • Edit /tmp/ldifoutput/cn=config/cn=schema/cn={8}kerberos.ldif
sudo vi /tmp/ldifoutput/cn\=config/cn\=schema/cn\=\{8\}kerberos.ldif
change dn: cn={8}kerberos into
dn: dn: cn=kerberos,cn=schema,cn=config

change cn: {8}kerberos into
cn: kerberos

remove lines:
structuralObjectClass: olcsch... 
till end
<pre>
:* Start the slapd
:: sudo slpad -h ldapi:/// -F /etc/ldap/slapd.d/ 
:: The "-F" is for slapd-config-directory
:*
=== LDAP notes ===

* Man pages
** [http://docs.sun.com/app/docs/doc/816-5166/kdb5-ldap-util-1m?a=view good man page]
** [http://linux.die.net/man/8/kdb5_ldap_util another one]

* If you can't start slapd, try <code>sudo</code>
* [http://www.openldap.org/doc/admin21/runningslapd.html bug level, -d #]
<pre>
Level 	Description
-1 	enable all debugging
0 	no debugging
1 	trace function calls
2 	debug packet handling
4 	heavy trace debugging
8 	connection management
16 	print out packets sent and received
32 	search filter processing
64 	configuration file processing
128 	access control list processing
256 	stats log connections/operations/results
512 	stats log entries sent
1024 	print communication with shell backends
2048 	print entry parsing debugging 
  • src/kadmin/dbutil/kdb5_ldap_util
  • src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util

Ldap notes (from notes I saved elsewhere)

1. Information about the system

- packages

  • Version of ubuntu
      lsb_release -a
      No LSB modules are available.
      Distributor ID:        Ubuntu
      Description:        Ubuntu 9.04
      Release:        9.04
      Codename:        jaunty
  • Version of slapd: 2.4.15 (Mar 19 2009)
      slapd -V
      @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $
      buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
  • Version of ldap-utils: 2.4.15
      dpkg -l ldap-utils

2. Kerb Schema Operations

loosely following section 6.4

kerberos.schema schema --> ldif populate all the directories

3. ldap/slapd configuration changes

take out lines, modify lines

4. Extract krb conf files

5. Env

6. Build kerb. config

  • You'll need a test OpenLDAP server. To get this, you'll need to

install the slapd package (for the server program) and the ldap-utils package (for ldapsearch). You can set the "domain" of your LDAP server using "sudo dpkg-reconfigure slapd". I will assume example.com below. I believe this will also prompt you for an admin password.

  • You'll need to copy kerberos.schema from the source tree

(src/plugins/kdb/ldap/libkdb_ ldap/kerberos.schema) into /etc/ldap/schema.

  • In /etc/default/slapd, search for SLAPD_SERVICES and set it to:
      SLAPD_SERVICES="ldapi:///"
This will restrict access to the local machine.
  • You may want to get familiar with the ldapsearch program. Here's an

example of how to use it against the test server installed above:

ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL -b

dc=example,dc=com

This command displays all of the entries in your LDAP database.  The

-H option and argument indicate the URI of the LDAP server; ldapi:/// means "a Unix-domain socket on the local machine". -x means to use simple authentication and -W means to prompt for a password (the admin password you chose previously). The -D option and argument specify the "bind DN", which you can think of as a username. The -LLL option shortens the output format a bit; you can leave that out if you want. The -b option specifies the base of the query; in this case, the whole thing. It's also worth reading the man page for the meaning of the -s option (restrict the scope of the query) and for the filter syntax.

  • To build Kerberos with LDAP back end support, you need to install the

libldap2-dev package, and configure with --with-ldap.

  • Configuring your KDC is similar to setting up a normal KDC, but your

dbmodule directive will look something like this:

[dbmodules]
  LDAP = {
    db_library = kldap
    ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com
    ldap_kdc_dn = cn=admin,dc=example,dc=com
    ldap_kadmind_dn = cn=admin,dc=example,dc=com
    ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash
    ldap_servers = ldapi:///
  }

(In a real deployment, you would probably create user DNs for the KDC and kadmin rather than using the admin DN, and grant them the minimum necessary access. But creating users in an OpenLDAP database didn't appear straightforward to me, so I skipped that step in my testing.)

  • When you create your database, instead of using kdb5_util, you use

kdb5_ldap_util, like so:

kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create \
-r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s

You'll have to enter your OpenLDAP admin pasword, which will be stored in the admin.stash file for use by the KDC and kadmind.

There is more information in the krb5 admin guide (see the doc subdir of

your source tree).

Personal tools