I am trying to set up Kerberos with OpenLDAP backend. I followed this doc http://web.mit.edu/Kerberos/www/krb5-1.12/doc/admin/conf_ldap.htmland this https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html#kerberos-ldap-ope...
My |krb5.conf|file looks like this:
|[libdefaults] default_realm = EXAMPLE.TEST dns_lookup_realm = false dns_lookup_kdc = false rdns = false
[kdcdefaults] restrict_anonymous_to_tgt = true
# The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true
# The following libdefaults parameters are only for Heimdal Kerberos. v4_instance_resolve = false v4_name_convert = { host = { rcmd = host ftp = ftp } plain = { something = something-else } } fcc-mit-ticketflags = true
[realms] #configuracion para mi reino EXAMPLE.TEST = { kdc = krb1.example.test:88 kdc = krb2.example.test:88 admin_server = krb1.example.test default_domain = example.test database_module = openldap_ldapconf }
[domain_realm] #configuracion para mi servidor .example.test = EXAMPLE.TEST EXAMPLE.test = EXAMPLE.TEST
[dbdefaults] ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=test
[dbmodules] openldap_ldapconf = { db_library = kldap ldap_kdc_dn = "cn=krbadmin,dc=example,dc=test"
# this object needs to have read rights on # the realm container, principal container and realm sub-trees ldap_kadmind_dn = "cn=krbadmin,dc=example,dc=test"
# this object needs to have read and write rights on # the realm container, principal container and realm sub-trees ldap_service_password_file = /etc/krb5kdc/service.keyfile ldap_servers = ldap://127.0.0.1 ldap_conns_per_server = 5 }
[login] # krb4_convert = true # krb4_get_tickets = false
[logging] kdc = FILE:/var/log/kerberos/krb5kdc.log admin_server = FILE:/var/log/kerberos/kadmin.log default = FILE:/var/log/kerberos/krb5lib.log
|
I added the krbPrincipalName index:
|dn: olcDatabase={1}hdb,cn=config add: olcDbIndex olcDbIndex: krbPrincipalName eq,pres,sub |
I gave permissions to the kadmind and krb5kdc for reading a writing in the LDAP database:
|dn: olcDatabase={1}hdb,cn=config replace: olcAccess olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=krbadmin,dc=example,dc=com" write by anonymous auth by self write by * none - add: olcAccess olcAccess: to dn.base="" by * read - add: olcAccess olcAccess: to * by dn="cn=krbadmin,dc=example,dc=com" write by * read |
When i try to restart the krb5-admin-server I get this error:
*[....] Restarting Kerberos administrative servers: kadmindkadmind: Invalid credentials while initializing, aborting failed!*
Any suggestion for solving this problem? I thinks there is a missing configuration on my LDAP, but I am not sure.
Thanks in advance.