Hi there
I am trying to install a KDC (kerberos) with an OpenLDAP backend, following instructions found on the MIT kerberos site. Installation went fine and I can see that the default principals have been created (kadmin, krbtgt & so on...).
However, I cannot add new principals : kadmin.local -q "addprinc -pw password root" Authenticating as principal root/admin@JAKOBI.FR with password. WARNING: no policy specified for root@JAKOBI.FR; defaulting to no policy *add_principal: Principal add failed: Insufficient access while creating "root@JAKOBI.FR root@JAKOBI.FR".*
Digging a bit further, I could see the following with wireshark (after binding to the Directory as kadmin) : 147 21.719670222 127.0.0.1 127.0.0.1 LDAP 1028 addRequest(7) "krbprincipalname=root@JAKOBI.FR,cn=JAKOBI.FR,cn=kerberos,dc=jakobi,dc=fr"
148 21.720138441 127.0.0.1 127.0.0.1 LDAP 107 addResponse(7) *insufficientAccessRights (no write access to parent) *
My LDAP ACLs are as follows : {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=jakobi,dc=fr" write by anonymous auth by self write by * none {1}to dn.base="" by * read {2}to * by dn="cn=admin,dc=jakobi,dc=fr" write by * read {3}to dn.subtree="cn=JAKOBI.FR,cn=kerberos,dc=jakobi,dc=fr" by dn.exact="cn=kdc,ou=People,dc=jakobi,dc=fr" read * {4}to dn.subtree="cn=kerberos,dc=jakobi,dc=fr" by dn.exact="cn=kadmin,ou=People,dc=jakobi,dc=fr" write*
if ACL #4 refers to *dn.subtree="**cn=JAKOBI.FR http://JAKOBI.FR,cn=kerberos,dc=jakobi,dc=fr"* (shouldn'it be the parent of the target principal?), result is the same.
As far as I understand, rule #4 should allow me to to write within the realm subtree...
Can someone enlighten me ?
Thanks in adv.
Salut Pascal,
C'est ta règle 2 je pense : * by * read
Cordialement
Le 2 janv. 2017 5:52 PM, "Pascal Jakobi" pascal.jakobi@gmail.com a écrit :
Hi there
I am trying to install a KDC (kerberos) with an OpenLDAP backend, following instructions found on the MIT kerberos site. Installation went fine and I can see that the default principals have been created (kadmin, krbtgt & so on...).
However, I cannot add new principals : kadmin.local -q "addprinc -pw password root" Authenticating as principal root/admin@JAKOBI.FR with password. WARNING: no policy specified for root@JAKOBI.FR; defaulting to no policy *add_principal: Principal add failed: Insufficient access while creating "root@JAKOBI.FR root@JAKOBI.FR".*
Digging a bit further, I could see the following with wireshark (after binding to the Directory as kadmin) : 147 21.719670222 127.0.0.1 127.0.0.1 LDAP 1028 addRequest(7) "krbprincipalname=root@JAKOBI.FR,cn=JAKOBI.FR,cn=kerberos,dc=jakobi,dc=fr"
148 21.720138441 127.0.0.1 127.0.0.1 LDAP 107 addResponse(7) *insufficientAccessRights (no write access to parent) *
My LDAP ACLs are as follows : {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=jakobi,dc=fr" write by anonymous auth by self write by * none {1}to dn.base="" by * read {2}to * by dn="cn=admin,dc=jakobi,dc=fr" write by * read {3}to dn.subtree="cn=JAKOBI.FR,cn=kerberos,dc=jakobi,dc=fr" by dn.exact="cn=kdc,ou=People,dc=jakobi,dc=fr" read * {4}to dn.subtree="cn=kerberos,dc=jakobi,dc=fr" by dn.exact="cn=kadmin,ou=People,dc=jakobi,dc=fr" write*
if ACL #4 refers to *dn.subtree="**cn=JAKOBI.FR http://JAKOBI.FR,cn=kerberos,dc=jakobi,dc=fr"* (shouldn'it be the parent of the target principal?), result is the same.
As far as I understand, rule #4 should allow me to to write within the realm subtree...
Can someone enlighten me ?
Thanks in adv.
On Mon, Jan 02, 2017 at 08:27:29AM +0100, Pascal Jakobi wrote:
My LDAP ACLs are as follows :
Just as a reference, the ACLs we use are:
access to attrs=userPassword by anonymous auth
access to dn.subtree="cn=container,ou=kerberos" by dn="cn=kdc,ou=service,ou=kerberos" write by dn="cn=kadmin,ou=service,ou=kerberos" write by * none break
access to dn.exact="ou=kerberos" attrs=entry,contextCSN,objectClass by dn="cn=slapd-checksync,ou=service,ou=kerberos" read by * none break
access to * by dn.exact="cn=slapd-syncrepl,ou=service,ou=kerberos" read by * none
We've never had an issue. The first stanza allows the various service accounts to authenticate, the second provides access to the kdc and kadmin services, the third to a replication check account, and the last to the syncrepl service. We run separate dedicated ldap servers for our kerberos backends on each kdc, we don't mix the kerberos ldap data into our normal ldap systems.
openldap-technical@openldap.org
-
Pascal Jakobi -
Paul B. Henson -
Sébastien Bahloul