Gentoo Full Text Bug Listing

Description:

Opened: 2004-07-29 10:27 0000

Support for storing the KDC database in an LDAP directory is not built with the
current Heimdal ebuild. There are some comments in the ebuild about creating a
"multiple stage circular dependency with USE="ldap kerberos"" between OpenLDAP
and Heimdal. However there are another packages that are in a similar situation
and they are including the USE variables without any problem:

[ebuild   R   ] net-nds/openldap-2.1.30-r1  +berkdb +crypt -debug +gdbm -ipv6
-odbc +perl +readline +samba +sasl -slp +ssl +tcpd  0 kB
[ebuild   R   ] dev-libs/cyrus-sasl-2.1.18-r2  +gdbm +java +kerberos +ldap
+mysql +pam -pam-mysql +postgres +ssl -static  0 kB

Here we have openldap containing +sasl and cyrus-sasl containing +ldap. I have
compiled and installed this two packages successfully, so I don't see no reason
to avoid it in Heimdal/OpenLDAP. Am I missing anything here?


Reproducible: Always
Steps to Reproduce:
1. emerge heimdal

Actual Results:  
Heimdal was installed without ldap support

Expected Results:  
The Heimdal ebuild should give the possibility to activate the LDAP support
offering a ldap USE variable.

Right now I'm trying to compile heimdal-0.6.2-r1 with ldap support (I have just
uncommented two lines that were already in the ebuild), I'll post my results
when I'm done.

------- Comment #1 From Jose Gonzalez Gomez 2004-07-29 12:16:34 0000 -------

An appropiate schema should be included with this ebuild so Heimdal is able to
store its information in LDAP. Such an schema can be found here:

http://www.stanford.edu/services/directory/openldap/configuration/krb5-kdc.schema

This schema is mantained by Quanah Gibson-Mount (quanah@stanford.edu). Maybe
somebody should contact him to include it in the ebuild?

------- Comment #2 From Jose Gonzalez Gomez 2004-07-29 15:33:26 0000 -------

I have modified the heimdal-0.6.2-r1 to include the following:

1. Support for LDAP... maybe I have created the circular dependency mentioned in the ebuild? I don't know, I had OpenLDAP installed when I emerged this.
2. Automatic creation of /var/heimdal
3. Inclusion of a sample configuration file
4. Inclusion of krb5-kdc.schema. I haven't contacted the author.

I have emerged heimdal using this ebuild and it seems to compile and install properly. I will test the LDAP functionality tomorrow. Enough work for a day...

------- Comment #3 From Jose Gonzalez Gomez 2004-07-29 15:36:51 0000 -------

Created an attachment (id=36432) [details]
Modified ebuild

I haven't made a new version nor a patch. Should you need this, feel free to
ask for it.

------- Comment #5 From Jose Gonzalez Gomez 2004-07-29 15:39:52 0000 -------

Created an attachment (id=36435) [details]
Kerberos schema

To be included in the files directory... or maybe we could download it every
time? In this case, authorization from the author is definitely needed

------- Comment #6 From Jose Gonzalez Gomez 2004-07-29 15:54:47 0000 -------

Ok, couldn't resist... I have tested it and it seems it's working flawlessly.

Well, almost... I had to use ldapi:// instead of the Gentoo default ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock' in /etc/conf.d/slapd. I guess heimdal is searching for the unix socket in some default location that slapd uses when specifying just ldapi://. I just would like to know where to find it, and if it's possible to change this location in heimdal, or if it's hard wired.

------- Comment #9 From Jose Gonzalez Gomez 2004-07-30 02:28:27 0000 -------

I have patched the sources so you may store Kerberos principals in several
directory levels, not just one level. I haven't tested it yet, will be doing so
today or monday... I'll post my results.

------- Comment #12 From Jose Gonzalez Gomez 2004-07-30 03:29:05 0000 -------

The patch for LDAP subtree searches seems to work properly. The command "list
*" in kadmin -l returns all the entries in the entire subtree, and I've been
able to to successfully kinit using an entry not in the top level of the tree.

I hope somebody else can test this in case I have missed anything.

------- Comment #13 From Jose Gonzalez Gomez 2004-08-02 07:44:34 0000 -------

The default location for the ACL configuration file in Heimdal is
/var/heimdal/kadmind.acl. Maybe we could change this to a location under /etc?
This should imply modification of the init script to include an extra
parameter, and possibly a new file to include in /etc/conf.d where the location
of this config file could be specified. What do you think?

------- Comment #14 From Jose Gonzalez Gomez 2004-08-16 02:41:01 0000 -------

Ryan: You haven't posted anything since 07/29, although you told you would
commit this as soon as you were back from your trip... I hope you're ok and you
really got back from that trip.

------- Comment #15 From Jose Gonzalez Gomez 2004-08-17 11:21:39 0000 -------

Created an attachment (id=37619) [details]
Modified ebuild

This ebuild contains the patch for LDAP subtree searches, and the creation of
additional symbolic links needed so saslauthd in cyrus-sasl can compile the
kerberos5 authentication mechanism

------- Comment #16 From Daniel Black 2004-09-13 08:28:56 0000 -------

Jose, If you are around please come to #gentoo-security for assistance with bug
#61412. I've wrapped these fixes you've attached here as well.

Bug#: 58799	Product: Gentoo Linux	Version: unspecified	Platform: x86
OS/Version: Linux	Status: RESOLVED	Severity: major	Priority: P2
Resolution: FIXED	Assigned To: rphillips@gentoo.org	Reported By: jgonzalez.openinput@gmail.com
Component: Applications
URL:
Summary: Heimdal does not offer support for LDAP
Keywords:
Status Whiteboard:
Opened: 2004-07-29 10:27 0000