Summary: | Heimdal does not offer support for LDAP | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Jose Gonzalez Gomez <jgonzalez.openinput> |
Component: | Current packages | Assignee: | Ryan Phillips (RETIRED) <rphillips> |
Status: | RESOLVED FIXED | ||
Severity: | major | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | |||
Bug Blocks: | 48994 | ||
Attachments: |
Modified ebuild
Sample configuration Kerberos schema Modified ebuild (patch for LDAP subtree searches included) Patch for LDAP subtree searches Modified ebuild |
Description
Jose Gonzalez Gomez
2004-07-29 10:27:11 UTC
An appropiate schema should be included with this ebuild so Heimdal is able to store its information in LDAP. Such an schema can be found here: http://www.stanford.edu/services/directory/openldap/configuration/krb5-kdc.schema This schema is mantained by Quanah Gibson-Mount (quanah@stanford.edu). Maybe somebody should contact him to include it in the ebuild? I have modified the heimdal-0.6.2-r1 to include the following: 1. Support for LDAP... maybe I have created the circular dependency mentioned in the ebuild? I don't know, I had OpenLDAP installed when I emerged this. 2. Automatic creation of /var/heimdal 3. Inclusion of a sample configuration file 4. Inclusion of krb5-kdc.schema. I haven't contacted the author. I have emerged heimdal using this ebuild and it seems to compile and install properly. I will test the LDAP functionality tomorrow. Enough work for a day... Created attachment 36432 [details]
Modified ebuild
I haven't made a new version nor a patch. Should you need this, feel free to
ask for it.
Created attachment 36434 [details]
Sample configuration
To be included in the files directory
Created attachment 36435 [details]
Kerberos schema
To be included in the files directory... or maybe we could download it every
time? In this case, authorization from the author is definitely needed
Ok, couldn't resist... I have tested it and it seems it's working flawlessly. Well, almost... I had to use ldapi:// instead of the Gentoo default ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock' in /etc/conf.d/slapd. I guess heimdal is searching for the unix socket in some default location that slapd uses when specifying just ldapi://. I just would like to know where to find it, and if it's possible to change this location in heimdal, or if it's hard wired. The default location for the openldap unix socket is /var/lib/ldapi Jose: I'll commit this when I get back from my trip on monday. I have patched the sources so you may store Kerberos principals in several directory levels, not just one level. I haven't tested it yet, will be doing so today or monday... I'll post my results. Created attachment 36458 [details]
Modified ebuild (patch for LDAP subtree searches included)
Created attachment 36459 [details, diff]
Patch for LDAP subtree searches
The patch for LDAP subtree searches seems to work properly. The command "list *" in kadmin -l returns all the entries in the entire subtree, and I've been able to to successfully kinit using an entry not in the top level of the tree. I hope somebody else can test this in case I have missed anything. The default location for the ACL configuration file in Heimdal is /var/heimdal/kadmind.acl. Maybe we could change this to a location under /etc? This should imply modification of the init script to include an extra parameter, and possibly a new file to include in /etc/conf.d where the location of this config file could be specified. What do you think? Ryan: You haven't posted anything since 07/29, although you told you would commit this as soon as you were back from your trip... I hope you're ok and you really got back from that trip. Created attachment 37619 [details]
Modified ebuild
This ebuild contains the patch for LDAP subtree searches, and the creation of
additional symbolic links needed so saslauthd in cyrus-sasl can compile the
kerberos5 authentication mechanism
Jose, If you are around please come to #gentoo-security for assistance with bug #61412. I've wrapped these fixes you've attached here as well. in 0.6.3 |