Support for storing the KDC database in an LDAP directory is not built with the current Heimdal ebuild. There are some comments in the ebuild about creating a "multiple stage circular dependency with USE="ldap kerberos"" between OpenLDAP and Heimdal. However there are another packages that are in a similar situation and they are including the USE variables without any problem: [ebuild R ] net-nds/openldap-2.1.30-r1 +berkdb +crypt -debug +gdbm -ipv6 -odbc +perl +readline +samba +sasl -slp +ssl +tcpd 0 kB [ebuild R ] dev-libs/cyrus-sasl-2.1.18-r2 +gdbm +java +kerberos +ldap +mysql +pam -pam-mysql +postgres +ssl -static 0 kB Here we have openldap containing +sasl and cyrus-sasl containing +ldap. I have compiled and installed this two packages successfully, so I don't see no reason to avoid it in Heimdal/OpenLDAP. Am I missing anything here? Reproducible: Always Steps to Reproduce: 1. emerge heimdal Actual Results: Heimdal was installed without ldap support Expected Results: The Heimdal ebuild should give the possibility to activate the LDAP support offering a ldap USE variable. Right now I'm trying to compile heimdal-0.6.2-r1 with ldap support (I have just uncommented two lines that were already in the ebuild), I'll post my results when I'm done.
An appropiate schema should be included with this ebuild so Heimdal is able to store its information in LDAP. Such an schema can be found here: http://www.stanford.edu/services/directory/openldap/configuration/krb5-kdc.schema This schema is mantained by Quanah Gibson-Mount (quanah@stanford.edu). Maybe somebody should contact him to include it in the ebuild?
I have modified the heimdal-0.6.2-r1 to include the following: 1. Support for LDAP... maybe I have created the circular dependency mentioned in the ebuild? I don't know, I had OpenLDAP installed when I emerged this. 2. Automatic creation of /var/heimdal 3. Inclusion of a sample configuration file 4. Inclusion of krb5-kdc.schema. I haven't contacted the author. I have emerged heimdal using this ebuild and it seems to compile and install properly. I will test the LDAP functionality tomorrow. Enough work for a day...
Created attachment 36432 [details] Modified ebuild I haven't made a new version nor a patch. Should you need this, feel free to ask for it.
Created attachment 36434 [details] Sample configuration To be included in the files directory
Created attachment 36435 [details] Kerberos schema To be included in the files directory... or maybe we could download it every time? In this case, authorization from the author is definitely needed
Ok, couldn't resist... I have tested it and it seems it's working flawlessly. Well, almost... I had to use ldapi:// instead of the Gentoo default ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock' in /etc/conf.d/slapd. I guess heimdal is searching for the unix socket in some default location that slapd uses when specifying just ldapi://. I just would like to know where to find it, and if it's possible to change this location in heimdal, or if it's hard wired.
The default location for the openldap unix socket is /var/lib/ldapi
Jose: I'll commit this when I get back from my trip on monday.
I have patched the sources so you may store Kerberos principals in several directory levels, not just one level. I haven't tested it yet, will be doing so today or monday... I'll post my results.
Created attachment 36458 [details] Modified ebuild (patch for LDAP subtree searches included)
Created attachment 36459 [details, diff] Patch for LDAP subtree searches
The patch for LDAP subtree searches seems to work properly. The command "list *" in kadmin -l returns all the entries in the entire subtree, and I've been able to to successfully kinit using an entry not in the top level of the tree. I hope somebody else can test this in case I have missed anything.
The default location for the ACL configuration file in Heimdal is /var/heimdal/kadmind.acl. Maybe we could change this to a location under /etc? This should imply modification of the init script to include an extra parameter, and possibly a new file to include in /etc/conf.d where the location of this config file could be specified. What do you think?
Ryan: You haven't posted anything since 07/29, although you told you would commit this as soon as you were back from your trip... I hope you're ok and you really got back from that trip.
Created attachment 37619 [details] Modified ebuild This ebuild contains the patch for LDAP subtree searches, and the creation of additional symbolic links needed so saslauthd in cyrus-sasl can compile the kerberos5 authentication mechanism
Jose, If you are around please come to #gentoo-security for assistance with bug #61412. I've wrapped these fixes you've attached here as well.
in 0.6.3