Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
Not eligible to see or edit group visibility for this bug.
View Bug Activity | Format For Printing | XML | Clone This Bug
Support for storing the KDC database in an LDAP directory is not built with the current Heimdal ebuild. There are some comments in the ebuild about creating a "multiple stage circular dependency with USE="ldap kerberos"" between OpenLDAP and Heimdal. However there are another packages that are in a similar situation and they are including the USE variables without any problem: [ebuild R ] net-nds/openldap-2.1.30-r1 +berkdb +crypt -debug +gdbm -ipv6 -odbc +perl +readline +samba +sasl -slp +ssl +tcpd 0 kB [ebuild R ] dev-libs/cyrus-sasl-2.1.18-r2 +gdbm +java +kerberos +ldap +mysql +pam -pam-mysql +postgres +ssl -static 0 kB Here we have openldap containing +sasl and cyrus-sasl containing +ldap. I have compiled and installed this two packages successfully, so I don't see no reason to avoid it in Heimdal/OpenLDAP. Am I missing anything here? Reproducible: Always Steps to Reproduce: 1. emerge heimdal Actual Results: Heimdal was installed without ldap support Expected Results: The Heimdal ebuild should give the possibility to activate the LDAP support offering a ldap USE variable. Right now I'm trying to compile heimdal-0.6.2-r1 with ldap support (I have just uncommented two lines that were already in the ebuild), I'll post my results when I'm done.
An appropiate schema should be included with this ebuild so Heimdal is able to store its information in LDAP. Such an schema can be found here: http://www.stanford.edu/services/directory/openldap/configuration/krb5-kdc.schema This schema is mantained by Quanah Gibson-Mount (quanah@stanford.edu). Maybe somebody should contact him to include it in the ebuild?
I have modified the heimdal-0.6.2-r1 to include the following: 1. Support for LDAP... maybe I have created the circular dependency mentioned in the ebuild? I don't know, I had OpenLDAP installed when I emerged this. 2. Automatic creation of /var/heimdal 3. Inclusion of a sample configuration file 4. Inclusion of krb5-kdc.schema. I haven't contacted the author. I have emerged heimdal using this ebuild and it seems to compile and install properly. I will test the LDAP functionality tomorrow. Enough work for a day...
Created an attachment (id=36432) [details] Modified ebuild I haven't made a new version nor a patch. Should you need this, feel free to ask for it.
Created an attachment (id=36434) [details] Sample configuration To be included in the files directory
Created an attachment (id=36435) [details] Kerberos schema To be included in the files directory... or maybe we could download it every time? In this case, authorization from the author is definitely needed
Ok, couldn't resist... I have tested it and it seems it's working flawlessly. Well, almost... I had to use ldapi:// instead of the Gentoo default ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock' in /etc/conf.d/slapd. I guess heimdal is searching for the unix socket in some default location that slapd uses when specifying just ldapi://. I just would like to know where to find it, and if it's possible to change this location in heimdal, or if it's hard wired.
The default location for the openldap unix socket is /var/lib/ldapi
Jose: I'll commit this when I get back from my trip on monday.
I have patched the sources so you may store Kerberos principals in several directory levels, not just one level. I haven't tested it yet, will be doing so today or monday... I'll post my results.
Created an attachment (id=36458) [details] Modified ebuild (patch for LDAP subtree searches included)
Created an attachment (id=36459) [details] Patch for LDAP subtree searches
The patch for LDAP subtree searches seems to work properly. The command "list *" in kadmin -l returns all the entries in the entire subtree, and I've been able to to successfully kinit using an entry not in the top level of the tree. I hope somebody else can test this in case I have missed anything.
The default location for the ACL configuration file in Heimdal is /var/heimdal/kadmind.acl. Maybe we could change this to a location under /etc? This should imply modification of the init script to include an extra parameter, and possibly a new file to include in /etc/conf.d where the location of this config file could be specified. What do you think?
Ryan: You haven't posted anything since 07/29, although you told you would commit this as soon as you were back from your trip... I hope you're ok and you really got back from that trip.
Created an attachment (id=37619) [details] Modified ebuild This ebuild contains the patch for LDAP subtree searches, and the creation of additional symbolic links needed so saslauthd in cyrus-sasl can compile the kerberos5 authentication mechanism
Jose, If you are around please come to #gentoo-security for assistance with bug #61412. I've wrapped these fixes you've attached here as well.
in 0.6.3
