Difference between revisions of "User talk:Haoqili"
(→Tips. Useful little things to know) |
(I moved the notes I had from my personal wiki here. I'm destroying my personal wiki.) |
||
(118 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | ==Bugs I've encountered and fixed (started loggin since Jun 24th).== |
||
+ | Thanks to Tom, Zhanna, Greg, and Will for helping me find the solutions.<br> |
||
+ | <strong>我能, 我能!</strong> |
||
+ | |||
+ | ==Things to do== |
||
+ | * figure out why: |
||
+ | <pre> |
||
+ | My password for ldap is "a" I have tried both upper and lower cases, but I always get: |
||
+ | |||
+ | $ /usr/local/sbin/kdb5_ldap_util -D cn=admin,dc=example,dc=com -w a -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s |
||
+ | kdb5_ldap_util: Invalid credentials while initializing database |
||
+ | </pre> |
||
+ | |||
+ | and this: |
||
+ | |||
+ | <pre> |
||
+ | ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL =b dc=example,dc=com |
||
+ | Enter LDAP Password: |
||
+ | ldap_bind: Invalid credentials (49) |
||
+ | </pre> |
||
+ | |||
+ | * make keystash in mkm py the right place |
||
+ | |||
+ | ==Kerberos Little Bugs I've encountered and fixed (started loggin since Jun 24th).== |
||
* When trying to ''kinit username'' |
* When trying to ''kinit username'' |
||
: ERROR: ''kinit: Cannot contact any KDC for realm [your realm fqdn] while getting initial credentials'' |
: ERROR: ''kinit: Cannot contact any KDC for realm [your realm fqdn] while getting initial credentials'' |
||
+ | : SOLUTION: make sure KDC is running. ''/usr/local/sbin/krb5kdc'' |
||
: SOLUTION: 1. check log file. I looked in /var/log/auth.log. The bottom of it says: ''Cannot create reply cache file /var/tmp/krb5kdc_rcache: File exits''. 2. ''sudo rm /var/tmp/krb5kdc_rcache. |
: SOLUTION: 1. check log file. I looked in /var/log/auth.log. The bottom of it says: ''Cannot create reply cache file /var/tmp/krb5kdc_rcache: File exits''. 2. ''sudo rm /var/tmp/krb5kdc_rcache. |
||
* Can't start krb5kdc and in auth.log it says: |
* Can't start krb5kdc and in auth.log it says: |
||
: ERROR: ''Address already in use - Cannot bind server socket to port [#] address [IP address]'' |
: ERROR: ''Address already in use - Cannot bind server socket to port [#] address [IP address]'' |
||
+ | : ERROR: ''<open file '<fdopen>', mode 'rb' at 0x9a38660>'' |
||
: SOLUTION: 1. see if it is true that port [#] is in use by ''netstat -nap | grep [#]'' (I also did ''pgrep -x krb5kdc''). 2. kill the process: ''pkill -x krb5kdc''. note the "-x" is for matching exactly the process "krb5kdc". |
: SOLUTION: 1. see if it is true that port [#] is in use by ''netstat -nap | grep [#]'' (I also did ''pgrep -x krb5kdc''). 2. kill the process: ''pkill -x krb5kdc''. note the "-x" is for matching exactly the process "krb5kdc". |
||
+ | * When changing password 'kpasswd', ''Cannot contact any KDC for realm [your realm fqdn]'' |
||
+ | * and/or Can't start kadmind (know because echo $? = 1). The last chunk of auth.log says: |
||
+ | : ERROR: |
||
+ | ::<pre> |
||
+ | ::kadmind[6924]: No dictionary file specified, continuing without one. |
||
+ | ::kadmind[6924]: setting up network... |
||
+ | ::kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 0.0.0.0 |
||
+ | ::kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked |
||
+ | ::kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address :: |
||
+ | ::kadmind[6924]: skipping unrecognized local address family 17 |
||
+ | ::kadmind[6924]: skipping unrecognized local address family 17 |
||
+ | ::kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 192.168.165.145 |
||
+ | ::kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked |
||
+ | ::kadmind[6924]: Permission denied - Cannot bind TCP server socket on ::.464 |
||
+ | ::kadmind[6924]: Permission denied - Cannot bind RPC server socket on 0.0.0.0.749 |
||
+ | ::kadmind[6924]: set up 0 sockets |
||
+ | ::kadmind[6924]: no sockets set up? |
||
+ | ::</pre> |
||
+ | : Reason (provided by tlyu): It is trying to bind to a privileged port. you need to give it a different port number. actually, two different port numbers: one for password changing and one for normal kadmin. |
||
+ | : SOLUTION: |
||
+ | ::<pre> |
||
+ | ::In kdc.conf inserted the last two lines here |
||
+ | :: |
||
+ | ::kdc_ports = 8888 |
||
+ | ::kpasswd_port = 8887 |
||
+ | ::kadmind_port = 8886 |
||
+ | ::</pre> |
||
+ | |||
+ | ::<pre> |
||
+ | ::In krb5.conf modify/insert the lines: |
||
+ | :: |
||
+ | ::admin_server = yourComputerName.domain:8886 |
||
+ | ::kpasswd_server = yourComputerName.domain:8887 |
||
+ | ::</pre> |
||
+ | |||
+ | * Purge key (''kdb5_util purge_mkeys'') gives an error |
||
+ | : ERROR: |
||
+ | ::<pre> |
||
+ | ::kdb5_util: Invalid argument while updating actkvno data for master principal entry |
||
+ | ::</pre> |
||
+ | : SOLUTION: |
||
+ | ::<pre> |
||
+ | :: #you must activate the keys that have not been "used" like this: |
||
+ | :: kdb5_util use_mkey kvno [time] |
||
+ | :: #i.e. kdb5_util use_mkey 2 'now+2days' |
||
+ | ::</pre> |
||
+ | |||
+ | * when running a kadmin command. Runs into operation requires xx privilege error |
||
+ | : ERROR: |
||
+ | ::<pre> |
||
+ | :: $ kadmin -p haoqili/admin -w test123 -q 'listprincs' |
||
+ | :: Authenticating as principal haoqili/admin with password. |
||
+ | :: get_principals: Operation requires ``list'' privilege while retrieving list. |
||
+ | ::</pre> |
||
+ | : SOLUTION: |
||
+ | : I didn't create my acl file yet. In kdc.conf, I have specified ''acl_file = /home/haoqili/kdcfiles/kadm5.acl'' and now I need to create the kadm5.acl |
||
+ | ::<pre> |
||
+ | :: #kadm5.acl, setting up my "admin" principal with all rights, i.e. * |
||
+ | :: haoqili/admin * |
||
+ | ::</pre> |
||
+ | : Also, before I created the kadm5.acl, I used ''echo $?'' to check the command. However, it gave me a 0 even though there were stderr. Tom says: "kadmin is meant to be an interactive program, so exit status might not be as meaningful." |
||
+ | :: P.S. I later changed the line in my acl file to be ''*/admin *'' to allow others |
||
+ | |||
+ | ==Python Bugs I've encountered and fixed== |
||
+ | |||
+ | * When talking to the terminal shell, a command (in my case, ''kdbt_util add_mkey'') asks for password twice (second time is confirmation). I first tried: |
||
+ | ::<pre> |
||
+ | ::p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) |
||
+ | ::(out, err) = p.communicate('password') |
||
+ | ::(out2, err2) = p.communicate('password') |
||
+ | ::</pre> |
||
+ | :When I ran it, I got a chunk of error that ends with: ''ValueError: I/O operation on closed file''. So what happens is that communicate closes the pipe, it breaks (even if it only runs once). <br> |
||
+ | :Solution code: |
||
+ | ::<pre> |
||
+ | ::p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) |
||
+ | ::p.stdin.write('password'+'\n') |
||
+ | ::p.stdin.write('password'+'\n') |
||
+ | ::</pre> |
||
+ | :Note don't forget the new line at the end. |
||
==Tips. Useful little things to know== |
==Tips. Useful little things to know== |
||
+ | === Kerberos === |
||
+ | * [http://web.mit.edu/kerberos/krb5-1.7/krb5-1.7/doc/krb5-admin.html Good link] |
||
+ | * '' kadmin.local -q 'modprinc +needchange [princname]' '', the flag ''needchange'' forces the principal to change its password upon kinit. |
||
+ | * '' kadmin.local -q 'modprinc -policy [policyname] [princname]' '' Sets up a policy for the principal. This "policy" can store previous passwords and ensures that new passwords are not used before. |
||
+ | * There is a bug in the code 6507 kdb5_util update_princ_encryption uses latest mkey instead of mkey |
||
+ | * AES has replaced Triple DES but there are still places taht have Triple DES set as the default (such as in ''klist -ekt [path of stash, such as /home/haoqili/kdcfiles/keyStashFile]'') |
||
+ | * Test date. Navigate to src/kadmin/cli |
||
+ | ** delete 2nd argument in main of getdate.y |
||
+ | ** ''rm getdate.c'' |
||
+ | ** ''make getdate.c'' |
||
+ | ** ''gcc -o datetest -DTEST getdate.c -I../../include'' |
||
+ | ** ./datetest |
||
− | '''Python''' |
||
+ | * ''kadmind -nofork'' is useful in python because it tells it to wait first so that later processes can happen later and don't have to get timed out. |
||
+ | ::<pre> |
||
+ | ::l0b = self.parentpath+'kadmind -nofork' |
||
+ | ::pl0b = Popen(l0b.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE) |
||
+ | :: print "kadmind -nofork" |
||
+ | :: while (True): |
||
+ | :: l = pl0b.stderr.readline() |
||
+ | :: if l.find("starting") > -1: #for kadmind: starting ... |
||
+ | :: print l.strip() |
||
+ | :: break |
||
+ | ::</pre> |
||
+ | |||
+ | === Ubuntu === |
||
+ | * Change computer name: <code>gksudo gedit /etc/hostname</code> |
||
+ | * Change Colors |
||
+ | ** Change color of background is easy. Just go to "Edit" and "Profile Preferences" |
||
+ | ** Change color of the prompt line is more difficult. [http://ubuntuforums.org/showthread.php?t=614743 Here is a good guide], but it is in a lot more detail than I needed. You can read that if you don't want the prompt color to be green or want to know how it works. But most basically: |
||
+ | **# Navigate to home. <code>cd ~/</code> |
||
+ | **# <code>vim .bashrc</code> |
||
+ | **# Un-comment: <code>#force_color_prompt=yes</code> by deleting the # |
||
+ | **# Open a new terminal to see the result |
||
+ | ** I have: |
||
+ | <pre> |
||
+ | # uncomment for a colored prompt, if the terminal has the capability; turned |
||
+ | # off by default to not distract the user: the focus in a terminal window |
||
+ | # should be on the output of commands, not on the prompt |
||
+ | force_color_prompt=yes |
||
+ | |||
+ | if [ -n "$force_color_prompt" ]; then |
||
+ | if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then |
||
+ | # We have color support; assume it's compliant with Ecma-48 |
||
+ | # (ISO/IEC-6429). (Lack of such support is extremely rare, and such |
||
+ | # a case would tend to support setf rather than setaf.) |
||
+ | color_prompt=yes |
||
+ | else |
||
+ | color_prompt= |
||
+ | fi |
||
+ | fi |
||
+ | |||
+ | # ANSI color codes |
||
+ | RS="\[\033[0m\]" # reset |
||
+ | HC="\[\033[1m\]" # hicolor |
||
+ | UL="\[\033[4m\]" # underline |
||
+ | INV="\[\033[7m\]" # inverse background and foreground |
||
+ | FBLK="\[\033[30m\]" # foreground black |
||
+ | FRED="\[\033[31m\]" # foreground red |
||
+ | FGRN="\[\033[32m\]" # foreground green |
||
+ | FYEL="\[\033[33m\]" # foreground yellow |
||
+ | FBLE="\[\033[34m\]" # foreground blue |
||
+ | FMAG="\[\033[35m\]" # foreground magenta |
||
+ | FCYN="\[\033[36m\]" # foreground cyan |
||
+ | FWHT="\[\033[37m\]" # foreground white |
||
+ | BBLK="\[\033[40m\]" # background black |
||
+ | BRED="\[\033[41m\]" # background red |
||
+ | BGRN="\[\033[42m\]" # background green |
||
+ | BYEL="\[\033[43m\]" # background yellow |
||
+ | BBLE="\[\033[44m\]" # background blue |
||
+ | BMAG="\[\033[45m\]" # background magenta |
||
+ | BCYN="\[\033[46m\]" # background cyan |
||
+ | BWHT="\[\033[47m\]" # background white |
||
+ | |||
+ | if [ "$color_prompt" = yes ]; then |
||
+ | # PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' |
||
+ | PS1='${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\h\[\033[00m\]:\[\033[01;32m\]\w\[\033[00m\]\$ ' |
||
+ | |||
+ | #PS1="[ ${debian_chroot:+($debian_chroot)}\u: \w ]\\$ " |
||
+ | #PS2="> " |
||
+ | #PS1=" $FRED${debian_chroot:+($debian_chroot)}" |
||
+ | #PS2="> " |
||
+ | else |
||
+ | PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' |
||
+ | fi |
||
+ | unset color_prompt force_color_prompt |
||
+ | </pre> |
||
+ | * Change root password: |
||
+ | ** Reboot |
||
+ | ** ESC to Recovery Mode |
||
+ | ** (wait) |
||
+ | ** click: root Drop to root shell prompt |
||
+ | ** <code>ls /home</code> |
||
+ | ** <code>passwd ''username''</code> |
||
+ | ** change your password |
||
+ | ** <code>exit</code> |
||
+ | ** click: resume |
||
+ | * The Caps Lock light is reversed. |
||
+ | : Reset Caps Lock: <code>xmodmap -e "remove Lock = Caps_Lock"</code> and then <code>xmodmap -e "add Lock = Caps_Lock"</code> |
||
+ | |||
+ | === Shell === |
||
+ | * [http://www.unixprogram.com/grep/using_egrep.html grep vs. egrep] |
||
+ | ::<pre> |
||
+ | ::The following characters have special meanings in grep or egrep: |
||
+ | :: |
||
+ | :: In egrep: |
||
+ | :: | ^ $ . * + ? ( ) [ { } \ |
||
+ | :: In grep: |
||
+ | :: ^ $ . * \( \) [ \{ \} \ |
||
+ | ::</pre> |
||
+ | |||
+ | * 0 = STDIN, 1 = STDOUT, 2 = STDERR. Like '' blah 2> /dev/null'' puts blah's STDERR into /dev/null |
||
+ | |||
+ | * > overwrites, >> appends |
||
+ | :: not see what's writing: ''ksh filename > writefilename 2>&1'', the 2>&1 writes the errors as well |
||
+ | :: see what's writing: ''ksh filename 2>&1 | tee writefilename'' |
||
+ | |||
+ | * ksh: typeset'ing vars in a function makes those vars local to the function. |
||
+ | |||
+ | * Avoid typing in sudo password everytime: |
||
+ | *: Edit <code>/etc/sudoers</code> such that under the line <code> root ALL=(ALL) ALL</code>, this line is added: <code> [username] ALL=(ALL) ALL</code> |
||
+ | |||
+ | * Add a path as the first option in a path |
||
+ | *: e.g. slapd's path. Currently when you do <code>echo $PATH</code>, <code>/usr/local/sbin</code> shows in front. I want to add <code>/usr/local/libexec</code>.<br> |
||
+ | <pre> |
||
+ | export PATH=/usr/local/libexec:$PATH |
||
+ | </pre> |
||
+ | :: Now I have <code>/usr/local/libexec</code> as the first option under <code>echo $PATH</code> |
||
+ | |||
+ | * <code>pkill</code> doesn't always work. Use <code>pkill -9</code> or <code>pkill -15</code> instead. Same with <code>sudo kill</code>. |
||
+ | |||
+ | * A Debugger! :D <code>gdb [command]</code> |
||
+ | |||
+ | === Python === |
||
+ | <br>Common Stuff |
||
+ | * Cannot do ''[print line for line in linelist]'' must have a function that prints the line, call it, printl(), and do ''[printl(line) for line in linelist]'' |
||
+ | |||
+ | More Specific Stuff |
||
*''p = Popen('blah', stdin=PIPE, stdout=PIPE, stderr=PIPE)'' |
*''p = Popen('blah', stdin=PIPE, stdout=PIPE, stderr=PIPE)'' |
||
:''(out, err) = p.communicate('inputThing\n')'' <-- don't forget the return "\n" at the end! |
:''(out, err) = p.communicate('inputThing\n')'' <-- don't forget the return "\n" at the end! |
||
* When you're doing a bunch of p=Popen('shell command') be careful because Popen starts a new branch so the next Popen might start without the previous one having completed. To fix this problem, put in: |
* When you're doing a bunch of p=Popen('shell command') be careful because Popen starts a new branch so the next Popen might start without the previous one having completed. To fix this problem, put in: |
||
− | :<pre> |
+ | ::<pre> |
− | :if int(p.wait()) != 0: #meaning that it's not executed |
+ | ::if int(p.wait()) != 0: #meaning that it's not executed |
− | : print "error message" |
+ | :: print "error message" |
− | : exit |
+ | :: exit |
− | :</pre> |
+ | ::</pre> |
+ | |||
* Two ways to display outputs after Popen( a command that has to get into something, in my case, getting into kadmin.local) 06262009 |
* Two ways to display outputs after Popen( a command that has to get into something, in my case, getting into kadmin.local) 06262009 |
||
− | Way 1: |
+ | :Way 1: |
+ | ::<pre> |
||
+ | ::p = Popen(['commannd', 'all', 'in', 'one', 'line'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local', '-q', 'listprincs'] |
||
+ | ::if int(p.wait()) != 0: |
||
+ | ::print p.stdout.readlines() |
||
+ | ::</pre> |
||
+ | :Way 2: |
||
+ | ::<pre> |
||
+ | ::p = Popen(['command', 'front', 'chunk'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local'] |
||
+ | ::(out, err) = p.communicate('rest of command') #e.g. 'listprincs' |
||
+ | ::print out |
||
+ | ::</pre> |
||
+ | |||
+ | * Not type in a chunk of common code every time, i.e. |
||
+ | :: ''p = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)'' |
||
+ | :This can be changed to: |
||
+ | ::<pre> |
||
+ | :: s = {stdin:PIPE, stdout=PIPE, stderr=PIPE} |
||
+ | :: p = Popen(cmd, **s) |
||
+ | ::</pre> |
||
+ | |||
+ | * For putting in a shell command directly, can turn shell=True. Note the command here can be a single line of string, not split up. |
||
+ | :: '' p = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE) |
||
+ | |||
+ | * The p.stdout.readlines() can be read only once |
||
+ | |||
+ | * Print current time in python: |
||
+ | ::<pre> |
||
+ | :: from time import strftime |
||
+ | :: print "current time: "+strftime("%Y-%m-%d %H:%M:%S") |
||
+ | ::</pre> |
||
+ | : Output: ''current time: 2009-07-06 22:00:54'' |
||
+ | |||
+ | * Sleep for 7 seconds. |
||
+ | ::<pre> |
||
+ | :: import time |
||
+ | :: time.sleep(7) |
||
+ | ::</pre> |
||
+ | |||
+ | * Popen( env=blah ) this argument only needs to be specified when the environment is changing |
||
+ | |||
+ | * To terminate a while loop after 3 seconds do: <code>while time.clock() < 3: blah</code> remember to <code>import time</code> |
||
+ | |||
+ | * Kadmin's wait() number (exit number) failed to point out that there is an error. The chunk below was generated when I tested it manually. It clearly pointed out that the acl file is missing (documented before). |
||
+ | <pre> |
||
+ | $ kadmin -p haoqili/admin -w test123 -q 'getprinc test' |
||
+ | Authenticating as principal haoqili/admin with password. |
||
+ | get_principal: Operation requires ``get'' privilege while retrieving "test@K.MIT.EDU". |
||
+ | </pre> |
||
+ | : What I saw in the output of the test was just the line "Authenticating ...", because wait() = 0, I only printed out stdout. However the last line was in the stderr. So I asked Tom if the existence of a stderr message is a better indicator of the success/failure of a command compared to the exit number. The answer is "not necessarily". |
||
+ | :Tom: Some programs write things to stderr even when there's not an error.<br> |
||
+ | :Me: why would they do that?<br> |
||
+ | :Tom: various reasons. sometimes prompts are written to stderr so they won't end up in redirected output by default. |
||
+ | |||
+ | * Ordering of stdout/stderr messages: |
||
+ | : Tom: if you use separate pipes for stderr and stdout, you may get the relative ordering of the messages mixed up if you print all stdout, then print all stderr. |
||
+ | : Me: right now I have stdin=PIPE, stdout=PIPE, stderr=PIPE. Is this separate pipes or the same pipe? |
||
+ | : Tom: separate pipes, i think. |
||
+ | : Tom: so to get program output in order, i would make stderr=STDOUT when creating the subprocess, and check the value of wait() |
||
+ | <pre> |
||
+ | p = Popen('/bin/sh stdouterr.sh', shell=True, stdin=PIPE, stdout=PIPE, |
||
+ | stderr=PIPE) |
||
+ | |||
+ | This gives all outputs together, and all errors together |
||
+ | |||
+ | = = = |
||
+ | |||
+ | p = Popen('/bin/sh stdouterr.sh', shell=True, stdin=PIPE, stdout=PIPE, |
||
+ | stderr=STDOUT) |
||
+ | |||
+ | This gives the outputs and errors in the order they come. |
||
+ | </pre> |
||
+ | |||
+ | == MKM Errors Put Aside == |
||
+ | * Adding the 1058th master key gives a memory error |
||
+ | |||
+ | * getdate.y has problems: |
||
+ | ::<pre> |
||
+ | ::/trunk/src/kadmin/cli$ ./datetest |
||
+ | ::Enter date, or blank line to exit. |
||
+ | :: > 6 months |
||
+ | ::Sat Jan 9 14:22:36 2010 |
||
+ | :: > 12/31/2009 |
||
+ | ::Wed Dec 30 23:00:00 2009 |
||
+ | :: > 07/10/2009 |
||
+ | ::Thu Jul 9 23:00:00 2009 |
||
+ | :: > 01/01/2009 |
||
+ | ::Wed Dec 31 23:00:00 2008 |
||
+ | :: > 01/01/2009 00:00:00 |
||
+ | ::Wed Dec 31 23:00:00 2008 |
||
+ | ::</pre> |
||
+ | |||
+ | * Phantom list_mkey error after adding ''-e aes128-cts-hmac-sha1-96''. The error went away after I ran the ksh equivalent of the python test. I don't know why it went away because everything seemed to be the same. |
||
+ | |||
:<pre> |
:<pre> |
||
− | :p = Popen(['commannd', 'all', 'in', 'one', 'line'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local', '-q', 'listprincs'] |
||
+ | ::for lines 283-289: |
||
− | :if int(p.wait()) != 0: |
||
+ | ::print "Testing add_mkey with aes128 enctype |
||
− | :print p.stdout.readlines() |
||
+ | ::==============================================" |
||
− | :</pre> |
||
+ | ::kdb5_util add_mkey -e aes128-cts-hmac-sha1-96 <<EOF |
||
− | Way 2: |
||
+ | ::abcde |
||
− | :<pre> |
||
+ | ::abcde |
||
− | :p = Popen(['command', 'front', 'chunk'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local'] |
||
+ | ::EOF |
||
− | :(out, err) = p.communicate('rest of command') #e.g. 'listprincs' |
||
+ | ::kdb5_util list_mkeys |
||
− | :print out |
||
+ | ::print "Testing add_mkey with aes128 enctype done |
||
+ | ::==============================================" |
||
+ | :: |
||
+ | ::The list_mkeys at the bottom is giving the following error: |
||
+ | :: |
||
+ | ::kdb5_util: Unable to decrypt latest master key with the provided master key |
||
+ | :: while getting master key list |
||
+ | ::kdb5_util: Warning: proceeding without master key list |
||
+ | ::kdb5_util: master keylist not initialized |
||
:</pre> |
:</pre> |
||
+ | |||
+ | == Getting LDAP Running == |
||
+ | |||
+ | [http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6.3/doc/krb5-admin.html#Configuring-Kerberos-with-OpenLDAP-back_002dend configure kerberos with LDAP backend] |
||
+ | |||
+ | [http://quark.humbug.org.au/publications/ldap/ldap_tut.html Nice looking LDAP tutorial] |
||
+ | |||
+ | * (DON'T FORLLOW THESE STEPS, WILL HAVE CONFLICTS, follow Greg's steps) I followed the directions on this website http://openldap.org/doc/admin24/quickstart.html |
||
+ | * Install BerkeleyDB |
||
+ | ** Download berkeleydb4.7 |
||
+ | ** cd to folder |
||
+ | ** ''cd build_unix'' (on my Ubuntu) |
||
+ | ** ''../dist/configure'' |
||
+ | ** ''make'' |
||
+ | ** ''sudo make install'' |
||
+ | * Install Open LDAP |
||
+ | ** ''./configure'' (fails) |
||
+ | :ERROR: DBD/HDB:BerkeleyDB not available |
||
+ | :Fixed: ''CPPFLAGS="-I/usr/local/BerkeleyDB4.7/include"'' then ''export CPPFLAGS'' |
||
+ | :* ''./configure'' |
||
+ | :* ''make depend'' |
||
+ | :* ''make'' (fails) |
||
+ | :ERROR: getpeereid.c:65: error: storage size of ‘peercred’ isn’t known |
||
+ | :FIXED: ''CPPFLAGS=-D_GNU_SOURCE'' then ''export CPPFLAGS'' |
||
+ | :* ''make'' |
||
+ | :* ''make test'' (takes a while) |
||
+ | :* ''sudo make install'' (installed in /usr/local/etc/openldap) |
||
+ | * Change configuration file at /usr/local/etc/openldap/slapd.conf |
||
+ | :* <my-domain> <-- example |
||
+ | :* <com> <-- com |
||
+ | :* password is still "secret" |
||
+ | :* cn is still "Manager" |
||
+ | * Start SLAPD: ''sudo /usr/local/libexec/slapd'' |
||
+ | ** Check if it works by a search: ldapsearch blah |
||
+ | * Add entries. Consult link above. |
||
+ | |||
+ | What I should have done. Faster, simpler. <b>Directions given by Greg Hudson.</b><br> |
||
+ | <b>1.</b> ''sudo apt-get install slapd'' (for server program)<br> |
||
+ | <b>2.</b> ''sudo apt-get install ldap-utils'' (for ldapsearch)<br> |
||
+ | <b>3.</b> copy src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema into /etc/ldap/schema<br> |
||
+ | <b>4.</b> In /etc/default/slapd, change SLAPD_SERVICES="ldapi:///", to restrict access to the local machine<br> |
||
+ | <b>5.</b> ldapsearch test:<br> |
||
+ | :: ''ldapsearch -H ldapi:/// -x -W -D cn=Manager,dc=example,dc=com -LLL -b dc=example,dc=com'' |
||
+ | :::''-H ldapi:///'' indicate the URI for the LDAP server |
||
+ | :::''-x'' simple authentication |
||
+ | :::''-W'' password prompt |
||
+ | :::''-D cn=Manager,dc=example,dc=com'' specify the "bind DN", like a username |
||
+ | :::''-LLL'' shortens output |
||
+ | :::''-b'' specify base of query to restrict the scope of the query<br> |
||
+ | <b>6.</b> ''sudo apt-get install libldap2-dev''<br> |
||
+ | <b>7.</b> Modify kdc.conf to include: |
||
+ | <pre> |
||
+ | [dbmodules] |
||
+ | LDAP = { |
||
+ | db_library = kldap |
||
+ | ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com |
||
+ | ldap_kdc_dn = cn=admin,dc=example,dc=com |
||
+ | ldap_kadmind_dn = cn=admin,dc=example,dc=com |
||
+ | ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash |
||
+ | ldap_servers = ldapi:/// |
||
+ | } |
||
+ | </pre> |
||
+ | <b>8.</b> Build krb5 from source with a different configure command: <code>./configure --with-ldap</code><br> |
||
+ | <b>9.</b> Create your database not with <code>kdb5_util</code>, but with <code>kdb5_ldap_util</code> like this: |
||
+ | <code>kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s</code> |
||
+ | |||
+ | <p>@ end of step 6. I thought I didn't have to do steps 1 and 2 since I installed the whole thing. However, I got stuck on step 4 because /etc/default/slapd doesn't exist. So I tried to install 1 and 2, but got the following <br> |
||
+ | ERROR: |
||
+ | <pre>$ sudo apt-get install slapd |
||
+ | Reading package lists... Done |
||
+ | Building dependency tree |
||
+ | Reading state information... Done |
||
+ | slapd is already the newest version. |
||
+ | 0 upgraded, 0 newly installed, 0 to remove and 169 not upgraded. |
||
+ | 1 not fully installed or removed. |
||
+ | After this operation, 0B of additional disk space will be used. |
||
+ | Setting up slapd (2.4.15-1ubuntu3) ... |
||
+ | Creating initial slapd configuration... Loading the initial configuration from the ldif file (/tmp/slapd_init.ldif.FZDOiAlAPo) failed with the following |
||
+ | error while running slapadd: |
||
+ | str2entry: invalid value for attributeType objectClass #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38) |
||
+ | slapadd: could not parse entry (line=16) |
||
+ | dpkg: error processing slapd (--configure): |
||
+ | subprocess post-installation script returned error exit status 1 |
||
+ | Errors were encountered while processing: |
||
+ | slapd |
||
+ | E: Sub-process /usr/bin/dpkg returned an error code (1) |
||
+ | </pre> |
||
+ | |||
+ | It's okay, the previously missing /etc/default/slapd now exists so that I can do step 4. |
||
+ | |||
+ | SOLUTION: I fixed this error by removing a slapd to avoid conflicts in the slapd already installed from source: <code>sudo apt-get remove slapd</code> Note how in the top of the error it says that whatever I was installing "is already the newest version", but there was the rest of the stuff because of the slapd conflict. |
||
+ | |||
+ | Step 5 then failed with error: |
||
+ | <pre>ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)</pre> |
||
+ | |||
+ | It can be fixed if slapd is started more specifically: |
||
+ | ''sudo /usr/local/libexec/slapd -h ldapi:///'' |
||
+ | |||
+ | === Everything was a mess! But here are some of things I did despite of the mess === |
||
+ | |||
+ | * Zhanna got slapd and ldapsearch working on my computer. I have not been able to replicate it. But here are the steps she used. |
||
+ | *# Kill an existing slapd: <code> ps -ef | grep slapd </code> and then <code> sudo kill -9 [the left side number]</code> |
||
+ | *# Set up new slapd: <code> sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:667 </code> (667, a bigger number works, 389 a smaller number wouldn't work. |
||
+ | *# Test if slapd is running by doing a search: <code> ldapsearch -H ldapi:/// -x -D cn=Manager,dc=example,dc=com -w secret</code> |
||
+ | |||
+ | ==== Adding LDAP Entries ==== |
||
+ | |||
+ | * Then I created 2 new LDAP entries: |
||
+ | ** Create this file named <code>example.ldif</code> |
||
+ | <pre> |
||
+ | dn: dc=example,dc=com |
||
+ | objectclass: dcObject |
||
+ | objectclass: organization |
||
+ | o: HaoQiCompany |
||
+ | dc: example |
||
+ | |||
+ | dn: cn=Manager,dc=example,dc=com |
||
+ | objectclass: organizationalRole |
||
+ | cn: Manager |
||
+ | </pre> |
||
+ | **:Note that the objectclass names cannot be changed, they have been predetermined |
||
+ | ** Add them: <code> ldapadd -H ldapi:/// -x -D "cn=Manager,dc=example,dc=com" -w secret -f example.ldif |
||
+ | ** Search them: <code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'</code> |
||
+ | **: result: |
||
+ | <pre> |
||
+ | # extended LDIF |
||
+ | # |
||
+ | # LDAPv3 |
||
+ | # base <dc=example,dc=com> with scope subtree |
||
+ | # filter: (objectclass=*) |
||
+ | # requesting: ALL |
||
+ | # |
||
+ | |||
+ | # example.com |
||
+ | dn: dc=example,dc=com |
||
+ | objectClass: dcObject |
||
+ | objectClass: organization |
||
+ | o: HaoQiCompany |
||
+ | dc: example |
||
+ | |||
+ | # Manager, example.com |
||
+ | dn: cn=Manager,dc=example,dc=com |
||
+ | objectClass: organizationalRole |
||
+ | cn: Manager |
||
+ | |||
+ | # search result |
||
+ | search: 2 |
||
+ | result: 0 Success |
||
+ | |||
+ | # numResponses: 3 |
||
+ | # numEntries: 2 |
||
+ | </pre> |
||
+ | |||
+ | * An important thing I learned is that I can't randomly put entries. The object classes are all specified and so are the other entries that comes with each object class. For example, the objectclass "person" must have "objectclass", "sn" for surname, and "cn" for common name. Objectclass "person" may also have these entries: "description", "seeAlso", "telephoneNumber", and "userPassword." |
||
+ | ** I ran into some errors when I followed the examples for adding "person" on some websites because they included a "title" entry, which is not allowed |
||
+ | ** [http://www.it.ufl.edu/projects/directory/ldap-schema/oc-PERSON.html Here is where I learned which entries are allowed] |
||
+ | * With this knowledge, I made <code> example3.ldif</code> |
||
+ | <pre> |
||
+ | dn: cn=Zhanna Tsitkova,dc=example,dc=com |
||
+ | objectclass: person |
||
+ | cn: Zhanna |
||
+ | cn: Zhanna Tsitkova |
||
+ | sn: Tsitkova |
||
+ | description: kind boss |
||
+ | telephoneNumber: 6171231234 |
||
+ | </pre> |
||
+ | * Add this entry: <code> ldapadd -H ldapi:/// -x -w secret -D "cn=Manager,dc=example,dc=com" -f example3.ldif</code> |
||
+ | |||
+ | * Now, the search result of all object classes look like this: |
||
+ | *:<code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'</code> |
||
+ | <pre> |
||
+ | # extended LDIF |
||
+ | # |
||
+ | # LDAPv3 |
||
+ | # base <dc=example,dc=com> with scope subtree |
||
+ | # filter: (objectclass=*) |
||
+ | # requesting: ALL |
||
+ | # |
||
+ | |||
+ | # example.com |
||
+ | dn: dc=example,dc=com |
||
+ | objectClass: dcObject |
||
+ | objectClass: organization |
||
+ | o: HaoQiCompany |
||
+ | dc: example |
||
+ | |||
+ | # Manager, example.com |
||
+ | dn: cn=Manager,dc=example,dc=com |
||
+ | objectClass: organizationalRole |
||
+ | cn: Manager |
||
+ | |||
+ | # Zhanna Tsitkova, example.com |
||
+ | dn: cn=Zhanna Tsitkova,dc=example,dc=com |
||
+ | objectClass: person |
||
+ | cn: Zhanna |
||
+ | cn: Zhanna Tsitkova |
||
+ | sn: Tsitkova |
||
+ | description: kind boss |
||
+ | telephoneNumber: 6171231234 |
||
+ | |||
+ | # HaoQi Li, example.com |
||
+ | dn: cn=HaoQi Li,dc=example,dc=com |
||
+ | objectClass: person |
||
+ | cn: HaoQi |
||
+ | cn: HaoQi Li |
||
+ | sn: Li |
||
+ | description: happy intern |
||
+ | telephoneNumber: 7031231234 |
||
+ | |||
+ | # search result |
||
+ | search: 2 |
||
+ | result: 0 Success |
||
+ | |||
+ | # numResponses: 5 |
||
+ | # numEntries: 4 |
||
+ | </pre> |
||
+ | |||
+ | *: Search for just "person" object class: <code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=person)'</code> |
||
+ | <pre> |
||
+ | # extended LDIF |
||
+ | # |
||
+ | # LDAPv3 |
||
+ | # base <dc=example,dc=com> with scope subtree |
||
+ | # filter: (objectclass=person) |
||
+ | # requesting: ALL |
||
+ | # |
||
+ | |||
+ | # Zhanna Tsitkova, example.com |
||
+ | dn: cn=Zhanna Tsitkova,dc=example,dc=com |
||
+ | objectClass: person |
||
+ | cn: Zhanna |
||
+ | cn: Zhanna Tsitkova |
||
+ | sn: Tsitkova |
||
+ | description: kind boss |
||
+ | telephoneNumber: 6171231234 |
||
+ | |||
+ | # HaoQi Li, example.com |
||
+ | dn: cn=HaoQi Li,dc=example,dc=com |
||
+ | objectClass: person |
||
+ | cn: HaoQi |
||
+ | cn: HaoQi Li |
||
+ | sn: Li |
||
+ | description: happy intern |
||
+ | telephoneNumber: 7031231234 |
||
+ | |||
+ | # search result |
||
+ | search: 2 |
||
+ | result: 0 Success |
||
+ | |||
+ | # numResponses: 3 |
||
+ | # numEntries: 2 |
||
+ | </pre> |
||
+ | |||
+ | *: Search for just one entry: <code>ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' 'cn=HaoQi'</code>. Note that the "cn=HaoQi" is not in the first set of single quotes. |
||
+ | <pre> |
||
+ | # extended LDIF |
||
+ | # |
||
+ | # LDAPv3 |
||
+ | # base <dc=example,dc=com> with scope subtree |
||
+ | # filter: cn=HaoQi |
||
+ | # requesting: ALL |
||
+ | # |
||
+ | |||
+ | # HaoQi Li, example.com |
||
+ | dn: cn=HaoQi Li,dc=example,dc=com |
||
+ | objectClass: person |
||
+ | cn: HaoQi |
||
+ | cn: HaoQi Li |
||
+ | sn: Li |
||
+ | description: happy intern |
||
+ | telephoneNumber: 7031231234 |
||
+ | |||
+ | # search result |
||
+ | search: 2 |
||
+ | result: 0 Success |
||
+ | |||
+ | # numResponses: 2 |
||
+ | # numEntries: 1 |
||
+ | </pre> |
||
+ | |||
+ | === Starting LDAP === |
||
+ | |||
+ | Starting from a specific IP address and port number: |
||
+ | : <code>sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:677</code> Note that it's "ldap", not "ldapi." The port number 677 was chosen arbitrarily. |
||
+ | : To search to check that it works: |
||
+ | : <code>ldapsearch -h 127.0.0.1 -p 677 -x -D cn=manager,dc=example,dc=com -w secret</code> |
||
+ | |||
+ | Starting from /: |
||
+ | : <code>sudo /usr/local/libexec/slapd -h ldapi:///</code> Note that it's "ldapi", not "ldap" |
||
+ | : To search to check that it works: |
||
+ | : <code>ldapsearch -H ldapi:/// -x -D cn=manager,dc=example,dc=com -w secret</code> |
||
+ | |||
+ | To kill a slapd and start again: |
||
+ | : <code>ps -ef | grep slapd</code> look for the left most number |
||
+ | : <code>sudo kill -9 [left most number]</code> |
||
+ | |||
+ | === Things I had to fix === |
||
+ | * I first did step 9 without doing step 8. So I got an kdb5_ldap_util not found error, but I was recommended by the computer to install krb5-kdc-ldap. DON'T DO THAT! because it is not what I want for the krb5 development, I want it to be running from the build (step 8). So I had to do a <code>sudo apt-get remove krb5-kdc-ldap</code>. In the end, the kdb5_ldap_util we want should be in <code>/usr/local/sbin/kdb5_ldap_util</code> |
||
+ | |||
+ | * @ step 8. while doing <code>./configure --with-ldap</code> it stopped with this:<br> |
||
+ | :ERROR: <code>configure: error: libldap not found or missing ldap_init</code>. <br> |
||
+ | :Greg told me to check if /usr/lib/libldap.so exists, and it does. Then I looked at config.log from the ./configure: Here are chunks of it, found in the middle of the log: |
||
+ | <pre> |
||
+ | configure:24570: checking for ldap_init in -lldap |
||
+ | configure:24605: gcc -o conftest -g -O2 conftest.c -lldap -lresolv >&5 |
||
+ | /usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_pvt_sb_do_write@OPENLDAP_2.4_2' |
||
+ | /usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_free@OPENLDAP_2.4_2' |
||
+ | /usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_skip_data@OPENLDAP_2.4_2' |
||
+ | /usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_reset@OPENLDAP_2.4_2' |
||
+ | ... 50 more lines like so ... |
||
+ | /usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_sockbuf_alloc@OPENLDAP_2.4_2' |
||
+ | collect2: ld returned 1 exit status |
||
+ | configure:24612: $? = 1 |
||
+ | configure: failed program was: |
||
+ | | /* confdefs.h. */ |
||
+ | | #define PACKAGE_NAME "Kerberos 5" |
||
+ | | #define PACKAGE_TARNAME "krb5" |
||
+ | | #define PACKAGE_VERSION "1.7-prerelease" |
||
+ | | #define PACKAGE_STRING "Kerberos 5 1.7-prerelease" |
||
+ | | #define PACKAGE_BUGREPORT "krb5-bugs@mit.edu" |
||
+ | | #define STDC_HEADERS 1 |
||
+ | | #define HAVE_SYS_TYPES_H 1 |
||
+ | | #define HAVE_SYS_STAT_H 1 |
||
+ | | #define HAVE_STDLIB_H 1 |
||
+ | ... continues ... |
||
+ | | #define HAVE_GETHOSTBYNAME_R 1 |
||
+ | | #define HAVE_GETSERVBYNAME_R 1 |
||
+ | | #define HAVE_GMTIME_R 1 |
||
+ | | #define HAVE_LOCALTIME_R 1 |
||
+ | | #define HAVE_LDAP_H 1 |
||
+ | | #define HAVE_LBER_H 1 |
||
+ | | /* end confdefs.h. */ |
||
+ | | |
||
+ | | /* Override any GCC internal prototype to avoid an error. |
||
+ | | Use char because int might match the return type of a GCC |
||
+ | | builtin and then its argument prototype would still apply. */ |
||
+ | | #ifdef __cplusplus |
||
+ | | extern "C" |
||
+ | | #endif |
||
+ | | char ldap_init (); |
||
+ | | int |
||
+ | | main () |
||
+ | | { |
||
+ | | return ldap_init (); |
||
+ | | ; |
||
+ | | return 0; |
||
+ | | } |
||
+ | configure:24633: result: no |
||
+ | configure:24638: error: libldap not found or missing ldap_init |
||
+ | </pre> |
||
+ | |||
+ | :So Greg says: "I think maybe your OpenLDAP source installation in /usr/local/lib is messing up the system library." So it might be better if I start a new Ubuntu virtual machine without being stupid and compiling the entire OpenLDAP. |
||
+ | |||
+ | NOTE: One of the solutions is to change the default configuration from /usr/local/lib to /usr/lib in /etc/ld.so.conf.d/libc.conf. Then run /sbin/ldconfig. |
||
+ | |||
+ | === Starting Over === |
||
+ | I ran into some more troubles. So I decided to start again, with a brand new virtual machine |
||
+ | |||
+ | The bolded lines are for ldap. The non-bolded ones are for general make krb5 from source |
||
+ | * To start again if you screwed up anywhere, do <code>make distclean</code> if you want to remove "make" or <code>make clean</code> if you don't want to remove "make" (sometimes you have to do <code>rm config.cache</code>), and then proceed to <code>util/reconf</code> |
||
+ | |||
+ | * Stuff you need to install for the krb5 build |
||
+ | ** subversion: <code>sudo apt-get install subversion</code> |
||
+ | ** autoconf: <code>sudo apt-get install autoconf</code> |
||
+ | ** <code>sudo apt-get install ncurses-dev</code> |
||
+ | ** yacc: <code>sudo apt-get install byacc</code> |
||
+ | * <code>svn checkout svn://anonsvn.mit.edu/krb5/trunk</code> |
||
+ | * Navigate to trunk/src |
||
+ | * <code>util/reconf</code> |
||
+ | * 1: <code><b>sudo apt-get install slapd</b></code> |
||
+ | * 2: <code><b>sudo apt-get install ldap-utils</b></code> |
||
+ | * 3: <b>Navigate to /etc/ldap/scheme and then do: <code>sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema</code></b> |
||
+ | * 4: <b><code>sudo vim /etc/default/slapd</code> and change SLAPD_SERVICES to: <code>SLAPD_SERVICES="ldapi:///"</code> to restrict access to the local machine</b> |
||
+ | * 5: <b>Test to see if it works by: <code>ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL -b dc=example,dc=com</code></b> |
||
+ | * 6: <b><code>sudo apt-get install libldap2-dev</code></b> |
||
+ | * 8: <b><code>./configure --with-ldap</code></b> Skipping step 7 intentionally. It can be done later. If you are not doing ldap stuff, just do <code>./configure</code> |
||
+ | * <code>make</code> |
||
+ | * <code>sudo make install</code><br> |
||
+ | (I didn't do <code>make check</code>) |
||
+ | * 7: <b> Change kdc.conf according to 7. above</b> |
||
+ | * 9: <b> To run it: <code>sudo /usr/local/sbin/kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s</code></b> |
||
+ | |||
+ | === Figuring out stuff === |
||
+ | * [ https://help.ubuntu.com/9.04/serverguide/C/serverguide.pdf good guide] |
||
+ | ** Locate the kerberos schema: |
||
+ | :: /etc/ldap/schema/kerberos.schema |
||
+ | :* Create this file: |
||
+ | :: sudo vim /etc/ldap/schema/schema_testing.conf |
||
+ | <pre> |
||
+ | include /etc/ldap/schema/core.schema |
||
+ | include /etc/ldap/schema/collective.schema |
||
+ | include /etc/ldap/schema/corba.schema |
||
+ | include /etc/ldap/schema/cosine.schema |
||
+ | include /etc/ldap/schema/duaconf.schema |
||
+ | include /etc/ldap/schema/dyngroup.schema |
||
+ | include /etc/ldap/schema/inetorgperson.schema |
||
+ | include /etc/ldap/schema/java.schema |
||
+ | include /etc/ldap/schema/kerberos.schema |
||
+ | include /etc/ldap/schema/nis.schema |
||
+ | include /etc/ldap/schema/openldap.schema |
||
+ | include /etc/ldap/schema/ppolicy.schema |
||
+ | </pre> |
||
+ | :* Make the temp dir to hold output: |
||
+ | :: mkdir /tmp/ldifoutput |
||
+ | :* Convert schema --> LDIF with slaptest: |
||
+ | :: slaptest -f schema_testing.conf -F /tmp/ldifoutput |
||
+ | :* Edit /tmp/ldifoutput/cn=config/cn=schema/cn={8}kerberos.ldif |
||
+ | :: sudo vi /tmp/ldifoutput/cn\=config/cn\=schema/cn\=\{8\}kerberos.ldif |
||
+ | <pre> |
||
+ | change dn: cn={8}kerberos into |
||
+ | dn: dn: cn=kerberos,cn=schema,cn=config |
||
+ | |||
+ | change cn: {8}kerberos into |
||
+ | cn: kerberos |
||
+ | |||
+ | remove lines: |
||
+ | structuralObjectClass: olcsch... |
||
+ | till end |
||
+ | <pre> |
||
+ | :* Start the slapd |
||
+ | :: sudo slpad -h ldapi:/// -F /etc/ldap/slapd.d/ |
||
+ | :: The "-F" is for slapd-config-directory |
||
+ | :* |
||
+ | === LDAP notes === |
||
+ | |||
+ | * Man pages |
||
+ | ** [http://docs.sun.com/app/docs/doc/816-5166/kdb5-ldap-util-1m?a=view good man page] |
||
+ | ** [http://linux.die.net/man/8/kdb5_ldap_util another one] |
||
+ | |||
+ | * If you can't start slapd, try <code>sudo</code> |
||
+ | * [http://www.openldap.org/doc/admin21/runningslapd.html bug level, -d #] |
||
+ | <pre> |
||
+ | Level Description |
||
+ | -1 enable all debugging |
||
+ | 0 no debugging |
||
+ | 1 trace function calls |
||
+ | 2 debug packet handling |
||
+ | 4 heavy trace debugging |
||
+ | 8 connection management |
||
+ | 16 print out packets sent and received |
||
+ | 32 search filter processing |
||
+ | 64 configuration file processing |
||
+ | 128 access control list processing |
||
+ | 256 stats log connections/operations/results |
||
+ | 512 stats log entries sent |
||
+ | 1024 print communication with shell backends |
||
+ | 2048 print entry parsing debugging |
||
+ | </pre> |
||
+ | |||
+ | * src/kadmin/dbutil/kdb5_ldap_util |
||
+ | * src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util |
||
+ | |||
+ | == Ldap notes (from notes I saved elsewhere) == |
||
+ | === 1. Information about the system === |
||
+ | - packages |
||
+ | * Version of ubuntu |
||
+ | lsb_release -a |
||
+ | No LSB modules are available. |
||
+ | Distributor ID: Ubuntu |
||
+ | Description: Ubuntu 9.04 |
||
+ | Release: 9.04 |
||
+ | Codename: jaunty |
||
+ | * Version of slapd: 2.4.15 (Mar 19 2009) |
||
+ | slapd -V |
||
+ | @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $ |
||
+ | buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd |
||
+ | |||
+ | * Version of ldap-utils: 2.4.15 |
||
+ | dpkg -l ldap-utils |
||
+ | |||
+ | === 2. Kerb Schema Operations === |
||
+ | [https://help.ubuntu.com/9.04/serverguide/C/serverguide.pdf loosely following section 6.4] |
||
+ | |||
+ | [[kerberos.schema]] |
||
+ | schema --> ldif |
||
+ | populate all the directories |
||
+ | |||
+ | === 3. ldap/slapd configuration changes === |
||
+ | take out lines, modify lines |
||
+ | |||
+ | === 4. Extract krb conf files === |
||
+ | |||
+ | === 5. Env === |
||
+ | |||
+ | === 6. Build kerb. config === |
||
+ | |||
+ | |||
+ | * You'll need a test OpenLDAP server. To get this, you'll need to |
||
+ | install the slapd package (for the server program) and the ldap-utils |
||
+ | package (for ldapsearch). You can set the "domain" of your LDAP server |
||
+ | using "sudo dpkg-reconfigure slapd". I will assume example.com below. |
||
+ | I believe this will also prompt you for an admin password. |
||
+ | |||
+ | * You'll need to copy kerberos.schema from the source tree |
||
+ | (src/plugins/kdb/ldap/libkdb_ |
||
+ | ldap/kerberos.schema) |
||
+ | into /etc/ldap/schema. |
||
+ | |||
+ | * In /etc/default/slapd, search for SLAPD_SERVICES and set it to: |
||
+ | |||
+ | SLAPD_SERVICES="ldapi:///" |
||
+ | |||
+ | This will restrict access to the local machine. |
||
+ | |||
+ | * You may want to get familiar with the ldapsearch program. Here's an |
||
+ | example of how to use it against the test server installed above: |
||
+ | |||
+ | ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL -b |
||
+ | dc=example,dc=com |
||
+ | |||
+ | This command displays all of the entries in your LDAP database. The |
||
+ | -H option and argument indicate the URI of the LDAP server; ldapi:/// |
||
+ | means "a Unix-domain socket on the local machine". -x means to use |
||
+ | simple authentication and -W means to prompt for a password (the admin |
||
+ | password you chose previously). The -D option and argument specify the |
||
+ | "bind DN", which you can think of as a username. The -LLL option |
||
+ | shortens the output format a bit; you can leave that out if you want. |
||
+ | The -b option specifies the base of the query; in this case, the whole |
||
+ | thing. It's also worth reading the man page for the meaning of the -s |
||
+ | option (restrict the scope of the query) and for the filter syntax. |
||
+ | |||
+ | * To build Kerberos with LDAP back end support, you need to install the |
||
+ | libldap2-dev package, and configure with --with-ldap. |
||
+ | |||
+ | * Configuring your KDC is similar to setting up a normal KDC, but your |
||
+ | dbmodule directive will look something like this: |
||
+ | |||
+ | [dbmodules] |
||
+ | LDAP = { |
||
+ | db_library = kldap |
||
+ | ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com |
||
+ | ldap_kdc_dn = cn=admin,dc=example,dc=com |
||
+ | ldap_kadmind_dn = cn=admin,dc=example,dc=com |
||
+ | ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash |
||
+ | ldap_servers = ldapi:/// |
||
+ | } |
||
+ | |||
+ | (In a real deployment, you would probably create user DNs for the KDC |
||
+ | and kadmin rather than using the admin DN, and grant them the minimum |
||
+ | necessary access. But creating users in an OpenLDAP database didn't |
||
+ | appear straightforward to me, so I skipped that step in my testing.) |
||
+ | |||
+ | * When you create your database, instead of using kdb5_util, you use |
||
+ | kdb5_ldap_util, like so: |
||
+ | |||
+ | kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create \ |
||
+ | -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s |
||
+ | |||
+ | You'll have to enter your OpenLDAP admin pasword, which will be stored |
||
+ | in the admin.stash file for use by the KDC and kadmind. |
||
+ | |||
+ | There is more information in the krb5 admin guide (see the doc subdir of |
||
+ | your source tree). |
Latest revision as of 13:18, 23 March 2011
Thanks to Tom, Zhanna, Greg, and Will for helping me find the solutions.
我能, 我能!
Contents
Things to do
- figure out why:
My password for ldap is "a" I have tried both upper and lower cases, but I always get: $ /usr/local/sbin/kdb5_ldap_util -D cn=admin,dc=example,dc=com -w a -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s kdb5_ldap_util: Invalid credentials while initializing database
and this:
ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL =b dc=example,dc=com Enter LDAP Password: ldap_bind: Invalid credentials (49)
- make keystash in mkm py the right place
Kerberos Little Bugs I've encountered and fixed (started loggin since Jun 24th).
- When trying to kinit username
- ERROR: kinit: Cannot contact any KDC for realm [your realm fqdn] while getting initial credentials
- SOLUTION: make sure KDC is running. /usr/local/sbin/krb5kdc
- SOLUTION: 1. check log file. I looked in /var/log/auth.log. The bottom of it says: Cannot create reply cache file /var/tmp/krb5kdc_rcache: File exits. 2. sudo rm /var/tmp/krb5kdc_rcache.
- Can't start krb5kdc and in auth.log it says:
- ERROR: Address already in use - Cannot bind server socket to port [#] address [IP address]
- ERROR: <open file '<fdopen>', mode 'rb' at 0x9a38660>
- SOLUTION: 1. see if it is true that port [#] is in use by netstat -nap | grep [#] (I also did pgrep -x krb5kdc). 2. kill the process: pkill -x krb5kdc. note the "-x" is for matching exactly the process "krb5kdc".
- When changing password 'kpasswd', Cannot contact any KDC for realm [your realm fqdn]
- and/or Can't start kadmind (know because echo $? = 1). The last chunk of auth.log says:
- ERROR:
- kadmind[6924]: No dictionary file specified, continuing without one.
- kadmind[6924]: setting up network...
- kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 0.0.0.0
- kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked
- kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address ::
- kadmind[6924]: skipping unrecognized local address family 17
- kadmind[6924]: skipping unrecognized local address family 17
- kadmind[6924]: Permission denied - Cannot bind server socket to port 464 address 192.168.165.145
- kadmind[6924]: setsockopt(6,IPV6_V6ONLY,1) worked
- kadmind[6924]: Permission denied - Cannot bind TCP server socket on ::.464
- kadmind[6924]: Permission denied - Cannot bind RPC server socket on 0.0.0.0.749
- kadmind[6924]: set up 0 sockets
- kadmind[6924]: no sockets set up?
- Reason (provided by tlyu): It is trying to bind to a privileged port. you need to give it a different port number. actually, two different port numbers: one for password changing and one for normal kadmin.
- SOLUTION:
- In kdc.conf inserted the last two lines here
- kdc_ports = 8888
- kpasswd_port = 8887
- kadmind_port = 8886
- In krb5.conf modify/insert the lines:
- admin_server = yourComputerName.domain:8886
- kpasswd_server = yourComputerName.domain:8887
- Purge key (kdb5_util purge_mkeys) gives an error
- ERROR:
- kdb5_util: Invalid argument while updating actkvno data for master principal entry
- SOLUTION:
- #you must activate the keys that have not been "used" like this:
- kdb5_util use_mkey kvno [time]
- #i.e. kdb5_util use_mkey 2 'now+2days'
- when running a kadmin command. Runs into operation requires xx privilege error
- ERROR:
- $ kadmin -p haoqili/admin -w test123 -q 'listprincs'
- Authenticating as principal haoqili/admin with password.
- get_principals: Operation requires ``list'' privilege while retrieving list.
- SOLUTION:
- I didn't create my acl file yet. In kdc.conf, I have specified acl_file = /home/haoqili/kdcfiles/kadm5.acl and now I need to create the kadm5.acl
- #kadm5.acl, setting up my "admin" principal with all rights, i.e. *
- haoqili/admin *
- Also, before I created the kadm5.acl, I used echo $? to check the command. However, it gave me a 0 even though there were stderr. Tom says: "kadmin is meant to be an interactive program, so exit status might not be as meaningful."
- P.S. I later changed the line in my acl file to be */admin * to allow others
Python Bugs I've encountered and fixed
- When talking to the terminal shell, a command (in my case, kdbt_util add_mkey) asks for password twice (second time is confirmation). I first tried:
- p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
- (out, err) = p.communicate('password')
- (out2, err2) = p.communicate('password')
- When I ran it, I got a chunk of error that ends with: ValueError: I/O operation on closed file. So what happens is that communicate closes the pipe, it breaks (even if it only runs once).
- Solution code:
- p = Popen(command.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
- p.stdin.write('password'+'\n')
- p.stdin.write('password'+'\n')
- Note don't forget the new line at the end.
Tips. Useful little things to know
Kerberos
- Good link
- kadmin.local -q 'modprinc +needchange [princname]' , the flag needchange forces the principal to change its password upon kinit.
- kadmin.local -q 'modprinc -policy [policyname] [princname]' Sets up a policy for the principal. This "policy" can store previous passwords and ensures that new passwords are not used before.
- There is a bug in the code 6507 kdb5_util update_princ_encryption uses latest mkey instead of mkey
- AES has replaced Triple DES but there are still places taht have Triple DES set as the default (such as in klist -ekt [path of stash, such as /home/haoqili/kdcfiles/keyStashFile])
- Test date. Navigate to src/kadmin/cli
- delete 2nd argument in main of getdate.y
- rm getdate.c
- make getdate.c
- gcc -o datetest -DTEST getdate.c -I../../include
- ./datetest
- kadmind -nofork is useful in python because it tells it to wait first so that later processes can happen later and don't have to get timed out.
- l0b = self.parentpath+'kadmind -nofork'
- pl0b = Popen(l0b.split(), stdin=PIPE, stdout=PIPE, stderr=PIPE)
- print "kadmind -nofork"
- while (True):
- l = pl0b.stderr.readline()
- if l.find("starting") > -1: #for kadmind: starting ...
- print l.strip()
- break
Ubuntu
- Change computer name:
gksudo gedit /etc/hostname
- Change Colors
- Change color of background is easy. Just go to "Edit" and "Profile Preferences"
- Change color of the prompt line is more difficult. Here is a good guide, but it is in a lot more detail than I needed. You can read that if you don't want the prompt color to be green or want to know how it works. But most basically:
- Navigate to home.
cd ~/
-
vim .bashrc
- Un-comment:
#force_color_prompt=yes
by deleting the # - Open a new terminal to see the result
- Navigate to home.
- I have:
# uncomment for a colored prompt, if the terminal has the capability; turned # off by default to not distract the user: the focus in a terminal window # should be on the output of commands, not on the prompt force_color_prompt=yes if [ -n "$force_color_prompt" ]; then if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then # We have color support; assume it's compliant with Ecma-48 # (ISO/IEC-6429). (Lack of such support is extremely rare, and such # a case would tend to support setf rather than setaf.) color_prompt=yes else color_prompt= fi fi # ANSI color codes RS="\[\033[0m\]" # reset HC="\[\033[1m\]" # hicolor UL="\[\033[4m\]" # underline INV="\[\033[7m\]" # inverse background and foreground FBLK="\[\033[30m\]" # foreground black FRED="\[\033[31m\]" # foreground red FGRN="\[\033[32m\]" # foreground green FYEL="\[\033[33m\]" # foreground yellow FBLE="\[\033[34m\]" # foreground blue FMAG="\[\033[35m\]" # foreground magenta FCYN="\[\033[36m\]" # foreground cyan FWHT="\[\033[37m\]" # foreground white BBLK="\[\033[40m\]" # background black BRED="\[\033[41m\]" # background red BGRN="\[\033[42m\]" # background green BYEL="\[\033[43m\]" # background yellow BBLE="\[\033[44m\]" # background blue BMAG="\[\033[45m\]" # background magenta BCYN="\[\033[46m\]" # background cyan BWHT="\[\033[47m\]" # background white if [ "$color_prompt" = yes ]; then # PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ ' PS1='${debian_chroot:+($debian_chroot)}\[\033[01;31m\]\u@\h\[\033[00m\]:\[\033[01;32m\]\w\[\033[00m\]\$ ' #PS1="[ ${debian_chroot:+($debian_chroot)}\u: \w ]\\$ " #PS2="> " #PS1=" $FRED${debian_chroot:+($debian_chroot)}" #PS2="> " else PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ ' fi unset color_prompt force_color_prompt
- Change root password:
- Reboot
- ESC to Recovery Mode
- (wait)
- click: root Drop to root shell prompt
-
ls /home
-
passwd username
- change your password
-
exit
- click: resume
- The Caps Lock light is reversed.
- Reset Caps Lock:
xmodmap -e "remove Lock = Caps_Lock"
and thenxmodmap -e "add Lock = Caps_Lock"
Shell
- The following characters have special meanings in grep or egrep:
- In egrep:
- | ^ $ . * + ? ( ) [ { } \
- In grep:
- ^ $ . * \( \) [ \{ \} \
- 0 = STDIN, 1 = STDOUT, 2 = STDERR. Like blah 2> /dev/null puts blah's STDERR into /dev/null
- > overwrites, >> appends
- not see what's writing: ksh filename > writefilename 2>&1, the 2>&1 writes the errors as well
- see what's writing: ksh filename 2>&1 | tee writefilename
- ksh: typeset'ing vars in a function makes those vars local to the function.
- Avoid typing in sudo password everytime:
- Edit
/etc/sudoers
such that under the lineroot ALL=(ALL) ALL
, this line is added:[username] ALL=(ALL) ALL
- Edit
- Add a path as the first option in a path
- e.g. slapd's path. Currently when you do
echo $PATH
,/usr/local/sbin
shows in front. I want to add/usr/local/libexec
.
- e.g. slapd's path. Currently when you do
export PATH=/usr/local/libexec:$PATH
- Now I have
/usr/local/libexec
as the first option underecho $PATH
- Now I have
-
pkill
doesn't always work. Usepkill -9
orpkill -15
instead. Same withsudo kill
.
- A Debugger! :D
gdb [command]
Python
Common Stuff
- Cannot do [print line for line in linelist] must have a function that prints the line, call it, printl(), and do [printl(line) for line in linelist]
More Specific Stuff
- p = Popen('blah', stdin=PIPE, stdout=PIPE, stderr=PIPE)
- (out, err) = p.communicate('inputThing\n') <-- don't forget the return "\n" at the end!
- When you're doing a bunch of p=Popen('shell command') be careful because Popen starts a new branch so the next Popen might start without the previous one having completed. To fix this problem, put in:
- if int(p.wait()) != 0: #meaning that it's not executed
- print "error message"
- exit
- Two ways to display outputs after Popen( a command that has to get into something, in my case, getting into kadmin.local) 06262009
- Way 1:
- p = Popen(['commannd', 'all', 'in', 'one', 'line'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local', '-q', 'listprincs']
- if int(p.wait()) != 0:
- print p.stdout.readlines()
- Way 2:
- p = Popen(['command', 'front', 'chunk'], stdin=PIPE, stdout=PIPE, stderr=PIPE) #e.g. ['kadmin.local']
- (out, err) = p.communicate('rest of command') #e.g. 'listprincs'
- print out
- Not type in a chunk of common code every time, i.e.
- p = Popen(cmd, stdin=PIPE, stdout=PIPE, stderr=PIPE)
- This can be changed to:
- s = {stdin:PIPE, stdout=PIPE, stderr=PIPE}
- p = Popen(cmd, **s)
- For putting in a shell command directly, can turn shell=True. Note the command here can be a single line of string, not split up.
- p = Popen(command, shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE)
- The p.stdout.readlines() can be read only once
- Print current time in python:
- from time import strftime
- print "current time: "+strftime("%Y-%m-%d %H:%M:%S")
- Output: current time: 2009-07-06 22:00:54
- Sleep for 7 seconds.
- import time
- time.sleep(7)
- Popen( env=blah ) this argument only needs to be specified when the environment is changing
- To terminate a while loop after 3 seconds do:
while time.clock() < 3: blah
remember toimport time
- Kadmin's wait() number (exit number) failed to point out that there is an error. The chunk below was generated when I tested it manually. It clearly pointed out that the acl file is missing (documented before).
$ kadmin -p haoqili/admin -w test123 -q 'getprinc test' Authenticating as principal haoqili/admin with password. get_principal: Operation requires ``get'' privilege while retrieving "test@K.MIT.EDU".
- What I saw in the output of the test was just the line "Authenticating ...", because wait() = 0, I only printed out stdout. However the last line was in the stderr. So I asked Tom if the existence of a stderr message is a better indicator of the success/failure of a command compared to the exit number. The answer is "not necessarily".
- Tom: Some programs write things to stderr even when there's not an error.
- Me: why would they do that?
- Tom: various reasons. sometimes prompts are written to stderr so they won't end up in redirected output by default.
- Ordering of stdout/stderr messages:
- Tom: if you use separate pipes for stderr and stdout, you may get the relative ordering of the messages mixed up if you print all stdout, then print all stderr.
- Me: right now I have stdin=PIPE, stdout=PIPE, stderr=PIPE. Is this separate pipes or the same pipe?
- Tom: separate pipes, i think.
- Tom: so to get program output in order, i would make stderr=STDOUT when creating the subprocess, and check the value of wait()
p = Popen('/bin/sh stdouterr.sh', shell=True, stdin=PIPE, stdout=PIPE, stderr=PIPE) This gives all outputs together, and all errors together = = = p = Popen('/bin/sh stdouterr.sh', shell=True, stdin=PIPE, stdout=PIPE, stderr=STDOUT) This gives the outputs and errors in the order they come.
MKM Errors Put Aside
- Adding the 1058th master key gives a memory error
- getdate.y has problems:
- /trunk/src/kadmin/cli$ ./datetest
- Enter date, or blank line to exit.
- > 6 months
- Sat Jan 9 14:22:36 2010
- > 12/31/2009
- Wed Dec 30 23:00:00 2009
- > 07/10/2009
- Thu Jul 9 23:00:00 2009
- > 01/01/2009
- Wed Dec 31 23:00:00 2008
- > 01/01/2009 00:00:00
- Wed Dec 31 23:00:00 2008
- Phantom list_mkey error after adding -e aes128-cts-hmac-sha1-96. The error went away after I ran the ksh equivalent of the python test. I don't know why it went away because everything seemed to be the same.
- for lines 283-289:
- print "Testing add_mkey with aes128 enctype
- =============================================="
- kdb5_util add_mkey -e aes128-cts-hmac-sha1-96 <<EOF
- abcde
- abcde
- EOF
- kdb5_util list_mkeys
- print "Testing add_mkey with aes128 enctype done
- =============================================="
- The list_mkeys at the bottom is giving the following error:
- kdb5_util: Unable to decrypt latest master key with the provided master key
- while getting master key list
- kdb5_util: Warning: proceeding without master key list
- kdb5_util: master keylist not initialized
Getting LDAP Running
configure kerberos with LDAP backend
- (DON'T FORLLOW THESE STEPS, WILL HAVE CONFLICTS, follow Greg's steps) I followed the directions on this website http://openldap.org/doc/admin24/quickstart.html
- Install BerkeleyDB
- Download berkeleydb4.7
- cd to folder
- cd build_unix (on my Ubuntu)
- ../dist/configure
- make
- sudo make install
- Install Open LDAP
- ./configure (fails)
- ERROR: DBD/HDB:BerkeleyDB not available
- Fixed: CPPFLAGS="-I/usr/local/BerkeleyDB4.7/include" then export CPPFLAGS
- ./configure
- make depend
- make (fails)
- ERROR: getpeereid.c:65: error: storage size of ‘peercred’ isn’t known
- FIXED: CPPFLAGS=-D_GNU_SOURCE then export CPPFLAGS
- make
- make test (takes a while)
- sudo make install (installed in /usr/local/etc/openldap)
- Change configuration file at /usr/local/etc/openldap/slapd.conf
- <my-domain> <-- example
- <com> <-- com
- password is still "secret"
- cn is still "Manager"
- Start SLAPD: sudo /usr/local/libexec/slapd
- Check if it works by a search: ldapsearch blah
- Add entries. Consult link above.
What I should have done. Faster, simpler. Directions given by Greg Hudson.
1. sudo apt-get install slapd (for server program)
2. sudo apt-get install ldap-utils (for ldapsearch)
3. copy src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema into /etc/ldap/schema
4. In /etc/default/slapd, change SLAPD_SERVICES="ldapi:///", to restrict access to the local machine
5. ldapsearch test:
- ldapsearch -H ldapi:/// -x -W -D cn=Manager,dc=example,dc=com -LLL -b dc=example,dc=com
- -H ldapi:/// indicate the URI for the LDAP server
- -x simple authentication
- -W password prompt
- -D cn=Manager,dc=example,dc=com specify the "bind DN", like a username
- -LLL shortens output
- -b specify base of query to restrict the scope of the query
- ldapsearch -H ldapi:/// -x -W -D cn=Manager,dc=example,dc=com -LLL -b dc=example,dc=com
6. sudo apt-get install libldap2-dev
7. Modify kdc.conf to include:
[dbmodules] LDAP = { db_library = kldap ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com ldap_kdc_dn = cn=admin,dc=example,dc=com ldap_kadmind_dn = cn=admin,dc=example,dc=com ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash ldap_servers = ldapi:/// }
8. Build krb5 from source with a different configure command: ./configure --with-ldap
9. Create your database not with kdb5_util
, but with kdb5_ldap_util
like this:
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s
@ end of step 6. I thought I didn't have to do steps 1 and 2 since I installed the whole thing. However, I got stuck on step 4 because /etc/default/slapd doesn't exist. So I tried to install 1 and 2, but got the following
ERROR:
$ sudo apt-get install slapd Reading package lists... Done Building dependency tree Reading state information... Done slapd is already the newest version. 0 upgraded, 0 newly installed, 0 to remove and 169 not upgraded. 1 not fully installed or removed. After this operation, 0B of additional disk space will be used. Setting up slapd (2.4.15-1ubuntu3) ... Creating initial slapd configuration... Loading the initial configuration from the ldif file (/tmp/slapd_init.ldif.FZDOiAlAPo) failed with the following error while running slapadd: str2entry: invalid value for attributeType objectClass #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=16) dpkg: error processing slapd (--configure): subprocess post-installation script returned error exit status 1 Errors were encountered while processing: slapd E: Sub-process /usr/bin/dpkg returned an error code (1)
It's okay, the previously missing /etc/default/slapd now exists so that I can do step 4.
SOLUTION: I fixed this error by removing a slapd to avoid conflicts in the slapd already installed from source: sudo apt-get remove slapd
Note how in the top of the error it says that whatever I was installing "is already the newest version", but there was the rest of the stuff because of the slapd conflict.
Step 5 then failed with error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
It can be fixed if slapd is started more specifically: sudo /usr/local/libexec/slapd -h ldapi:///
Everything was a mess! But here are some of things I did despite of the mess
- Zhanna got slapd and ldapsearch working on my computer. I have not been able to replicate it. But here are the steps she used.
- Kill an existing slapd:
ps -ef | grep slapd
and thensudo kill -9 [the left side number]
- Set up new slapd:
sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:667
(667, a bigger number works, 389 a smaller number wouldn't work. - Test if slapd is running by doing a search:
ldapsearch -H ldapi:/// -x -D cn=Manager,dc=example,dc=com -w secret
- Kill an existing slapd:
Adding LDAP Entries
- Then I created 2 new LDAP entries:
- Create this file named
example.ldif
- Create this file named
dn: dc=example,dc=com objectclass: dcObject objectclass: organization o: HaoQiCompany dc: example dn: cn=Manager,dc=example,dc=com objectclass: organizationalRole cn: Manager
- Note that the objectclass names cannot be changed, they have been predetermined
- Add them:
ldapadd -H ldapi:/// -x -D "cn=Manager,dc=example,dc=com" -w secret -f example.ldif
- Search them: <code> ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'
- result:
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: HaoQiCompany dc: example # Manager, example.com dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
- An important thing I learned is that I can't randomly put entries. The object classes are all specified and so are the other entries that comes with each object class. For example, the objectclass "person" must have "objectclass", "sn" for surname, and "cn" for common name. Objectclass "person" may also have these entries: "description", "seeAlso", "telephoneNumber", and "userPassword."
- I ran into some errors when I followed the examples for adding "person" on some websites because they included a "title" entry, which is not allowed
- Here is where I learned which entries are allowed
- With this knowledge, I made
example3.ldif
dn: cn=Zhanna Tsitkova,dc=example,dc=com objectclass: person cn: Zhanna cn: Zhanna Tsitkova sn: Tsitkova description: kind boss telephoneNumber: 6171231234
- Add this entry:
ldapadd -H ldapi:/// -x -w secret -D "cn=Manager,dc=example,dc=com" -f example3.ldif
- Now, the search result of all object classes look like this:
ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=*)'
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # example.com dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: HaoQiCompany dc: example # Manager, example.com dn: cn=Manager,dc=example,dc=com objectClass: organizationalRole cn: Manager # Zhanna Tsitkova, example.com dn: cn=Zhanna Tsitkova,dc=example,dc=com objectClass: person cn: Zhanna cn: Zhanna Tsitkova sn: Tsitkova description: kind boss telephoneNumber: 6171231234 # HaoQi Li, example.com dn: cn=HaoQi Li,dc=example,dc=com objectClass: person cn: HaoQi cn: HaoQi Li sn: Li description: happy intern telephoneNumber: 7031231234 # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 4
- Search for just "person" object class:
ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' '(objectclass=person)'
- Search for just "person" object class:
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (objectclass=person) # requesting: ALL # # Zhanna Tsitkova, example.com dn: cn=Zhanna Tsitkova,dc=example,dc=com objectClass: person cn: Zhanna cn: Zhanna Tsitkova sn: Tsitkova description: kind boss telephoneNumber: 6171231234 # HaoQi Li, example.com dn: cn=HaoQi Li,dc=example,dc=com objectClass: person cn: HaoQi cn: HaoQi Li sn: Li description: happy intern telephoneNumber: 7031231234 # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
- Search for just one entry:
ldapsearch -H ldapi:/// -x -b 'dc=example,dc=com' 'cn=HaoQi'
. Note that the "cn=HaoQi" is not in the first set of single quotes.
- Search for just one entry:
# extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: cn=HaoQi # requesting: ALL # # HaoQi Li, example.com dn: cn=HaoQi Li,dc=example,dc=com objectClass: person cn: HaoQi cn: HaoQi Li sn: Li description: happy intern telephoneNumber: 7031231234 # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Starting LDAP
Starting from a specific IP address and port number:
-
sudo /usr/local/libexec/slapd -h ldap://127.0.0.1:677
Note that it's "ldap", not "ldapi." The port number 677 was chosen arbitrarily. - To search to check that it works:
-
ldapsearch -h 127.0.0.1 -p 677 -x -D cn=manager,dc=example,dc=com -w secret
Starting from /:
-
sudo /usr/local/libexec/slapd -h ldapi:///
Note that it's "ldapi", not "ldap" - To search to check that it works:
-
ldapsearch -H ldapi:/// -x -D cn=manager,dc=example,dc=com -w secret
To kill a slapd and start again:
-
ps -ef | grep slapd
look for the left most number -
sudo kill -9 [left most number]
Things I had to fix
- I first did step 9 without doing step 8. So I got an kdb5_ldap_util not found error, but I was recommended by the computer to install krb5-kdc-ldap. DON'T DO THAT! because it is not what I want for the krb5 development, I want it to be running from the build (step 8). So I had to do a
sudo apt-get remove krb5-kdc-ldap
. In the end, the kdb5_ldap_util we want should be in/usr/local/sbin/kdb5_ldap_util
- @ step 8. while doing
./configure --with-ldap
it stopped with this:
- ERROR:
configure: error: libldap not found or missing ldap_init
. - Greg told me to check if /usr/lib/libldap.so exists, and it does. Then I looked at config.log from the ./configure: Here are chunks of it, found in the middle of the log:
configure:24570: checking for ldap_init in -lldap configure:24605: gcc -o conftest -g -O2 conftest.c -lldap -lresolv >&5 /usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_pvt_sb_do_write@OPENLDAP_2.4_2' /usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_free@OPENLDAP_2.4_2' /usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_skip_data@OPENLDAP_2.4_2' /usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_reset@OPENLDAP_2.4_2' ... 50 more lines like so ... /usr/lib/gcc/i486-linux-gnu/4.3.3/../../../../lib/libldap.so: undefined reference to `ber_sockbuf_alloc@OPENLDAP_2.4_2' collect2: ld returned 1 exit status configure:24612: $? = 1 configure: failed program was: | /* confdefs.h. */ | #define PACKAGE_NAME "Kerberos 5" | #define PACKAGE_TARNAME "krb5" | #define PACKAGE_VERSION "1.7-prerelease" | #define PACKAGE_STRING "Kerberos 5 1.7-prerelease" | #define PACKAGE_BUGREPORT "krb5-bugs@mit.edu" | #define STDC_HEADERS 1 | #define HAVE_SYS_TYPES_H 1 | #define HAVE_SYS_STAT_H 1 | #define HAVE_STDLIB_H 1 ... continues ... | #define HAVE_GETHOSTBYNAME_R 1 | #define HAVE_GETSERVBYNAME_R 1 | #define HAVE_GMTIME_R 1 | #define HAVE_LOCALTIME_R 1 | #define HAVE_LDAP_H 1 | #define HAVE_LBER_H 1 | /* end confdefs.h. */ | | /* Override any GCC internal prototype to avoid an error. | Use char because int might match the return type of a GCC | builtin and then its argument prototype would still apply. */ | #ifdef __cplusplus | extern "C" | #endif | char ldap_init (); | int | main () | { | return ldap_init (); | ; | return 0; | } configure:24633: result: no configure:24638: error: libldap not found or missing ldap_init
- So Greg says: "I think maybe your OpenLDAP source installation in /usr/local/lib is messing up the system library." So it might be better if I start a new Ubuntu virtual machine without being stupid and compiling the entire OpenLDAP.
NOTE: One of the solutions is to change the default configuration from /usr/local/lib to /usr/lib in /etc/ld.so.conf.d/libc.conf. Then run /sbin/ldconfig.
Starting Over
I ran into some more troubles. So I decided to start again, with a brand new virtual machine
The bolded lines are for ldap. The non-bolded ones are for general make krb5 from source
- To start again if you screwed up anywhere, do
make distclean
if you want to remove "make" ormake clean
if you don't want to remove "make" (sometimes you have to dorm config.cache
), and then proceed toutil/reconf
- Stuff you need to install for the krb5 build
- subversion:
sudo apt-get install subversion
- autoconf:
sudo apt-get install autoconf
-
sudo apt-get install ncurses-dev
- yacc:
sudo apt-get install byacc
- subversion:
-
svn checkout svn://anonsvn.mit.edu/krb5/trunk
- Navigate to trunk/src
-
util/reconf
- 1:
sudo apt-get install slapd
- 2:
sudo apt-get install ldap-utils
- 3: Navigate to /etc/ldap/scheme and then do:
sudo cp /home/haoqili/trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema
- 4:
sudo vim /etc/default/slapd
and change SLAPD_SERVICES to:SLAPD_SERVICES="ldapi:///"
to restrict access to the local machine - 5: Test to see if it works by:
ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL -b dc=example,dc=com
- 6:
sudo apt-get install libldap2-dev
- 8:
./configure --with-ldap
Skipping step 7 intentionally. It can be done later. If you are not doing ldap stuff, just do./configure
-
make
-
sudo make install
(I didn't do make check
)
- 7: Change kdc.conf according to 7. above
- 9: To run it:
sudo /usr/local/sbin/kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s
Figuring out stuff
- [ https://help.ubuntu.com/9.04/serverguide/C/serverguide.pdf good guide]
- Locate the kerberos schema:
- /etc/ldap/schema/kerberos.schema
- Create this file:
- sudo vim /etc/ldap/schema/schema_testing.conf
include /etc/ldap/schema/core.schema include /etc/ldap/schema/collective.schema include /etc/ldap/schema/corba.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/duaconf.schema include /etc/ldap/schema/dyngroup.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/java.schema include /etc/ldap/schema/kerberos.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/openldap.schema include /etc/ldap/schema/ppolicy.schema
- Make the temp dir to hold output:
- mkdir /tmp/ldifoutput
- Convert schema --> LDIF with slaptest:
- slaptest -f schema_testing.conf -F /tmp/ldifoutput
- Edit /tmp/ldifoutput/cn=config/cn=schema/cn={8}kerberos.ldif
- sudo vi /tmp/ldifoutput/cn\=config/cn\=schema/cn\=\{8\}kerberos.ldif
change dn: cn={8}kerberos into dn: dn: cn=kerberos,cn=schema,cn=config change cn: {8}kerberos into cn: kerberos remove lines: structuralObjectClass: olcsch... till end <pre> :* Start the slapd :: sudo slpad -h ldapi:/// -F /etc/ldap/slapd.d/ :: The "-F" is for slapd-config-directory :* === LDAP notes === * Man pages ** [http://docs.sun.com/app/docs/doc/816-5166/kdb5-ldap-util-1m?a=view good man page] ** [http://linux.die.net/man/8/kdb5_ldap_util another one] * If you can't start slapd, try <code>sudo</code> * [http://www.openldap.org/doc/admin21/runningslapd.html bug level, -d #] <pre> Level Description -1 enable all debugging 0 no debugging 1 trace function calls 2 debug packet handling 4 heavy trace debugging 8 connection management 16 print out packets sent and received 32 search filter processing 64 configuration file processing 128 access control list processing 256 stats log connections/operations/results 512 stats log entries sent 1024 print communication with shell backends 2048 print entry parsing debugging
- src/kadmin/dbutil/kdb5_ldap_util
- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util
Ldap notes (from notes I saved elsewhere)
1. Information about the system
- packages
- Version of ubuntu
lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 9.04 Release: 9.04 Codename: jaunty
- Version of slapd: 2.4.15 (Mar 19 2009)
slapd -V @(#) $OpenLDAP: slapd 2.4.15 (Mar 19 2009 10:08:25) $ buildd@palmer:/build/buildd/openldap-2.4.15/debian/build/servers/slapd
- Version of ldap-utils: 2.4.15
dpkg -l ldap-utils
2. Kerb Schema Operations
kerberos.schema schema --> ldif populate all the directories
3. ldap/slapd configuration changes
take out lines, modify lines
4. Extract krb conf files
5. Env
6. Build kerb. config
- You'll need a test OpenLDAP server. To get this, you'll need to
install the slapd package (for the server program) and the ldap-utils package (for ldapsearch). You can set the "domain" of your LDAP server using "sudo dpkg-reconfigure slapd". I will assume example.com below. I believe this will also prompt you for an admin password.
- You'll need to copy kerberos.schema from the source tree
(src/plugins/kdb/ldap/libkdb_ ldap/kerberos.schema) into /etc/ldap/schema.
- In /etc/default/slapd, search for SLAPD_SERVICES and set it to:
SLAPD_SERVICES="ldapi:///"
This will restrict access to the local machine.
- You may want to get familiar with the ldapsearch program. Here's an
example of how to use it against the test server installed above:
ldapsearch -H ldapi:/// -x -W -D cn=admin,dc=example,dc=com -LLL -b
dc=example,dc=com
This command displays all of the entries in your LDAP database. The
-H option and argument indicate the URI of the LDAP server; ldapi:/// means "a Unix-domain socket on the local machine". -x means to use simple authentication and -W means to prompt for a password (the admin password you chose previously). The -D option and argument specify the "bind DN", which you can think of as a username. The -LLL option shortens the output format a bit; you can leave that out if you want. The -b option specifies the base of the query; in this case, the whole thing. It's also worth reading the man page for the meaning of the -s option (restrict the scope of the query) and for the filter syntax.
- To build Kerberos with LDAP back end support, you need to install the
libldap2-dev package, and configure with --with-ldap.
- Configuring your KDC is similar to setting up a normal KDC, but your
dbmodule directive will look something like this:
[dbmodules] LDAP = { db_library = kldap ldap_kerberos_container_dn = cn=krbcontainer,dc=example,dc=com ldap_kdc_dn = cn=admin,dc=example,dc=com ldap_kadmind_dn = cn=admin,dc=example,dc=com ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash ldap_servers = ldapi:/// }
(In a real deployment, you would probably create user DNs for the KDC and kadmin rather than using the admin DN, and grant them the minimum necessary access. But creating users in an OpenLDAP database didn't appear straightforward to me, so I skipped that step in my testing.)
- When you create your database, instead of using kdb5_util, you use
kdb5_ldap_util, like so:
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create \ -r EXAMPLE.COM -sf /usr/local/var/krb5kdc/admin.stash -s
You'll have to enter your OpenLDAP admin pasword, which will be stored in the admin.stash file for use by the KDC and kadmind.
There is more information in the krb5 admin guide (see the doc subdir of
your source tree).