I used to build *smbkrb5pwd* module (https://github.com/opinsys/smbkrb5pwd) under OpenLDAP 2.4 and everything was working as expected. Starting from OpenLDAP 2.5, building the module still succeeds but an error 80 occurs when the module is loaded
ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcModuleLoad> handler exited with 1 modifying entry "cn=module{0},cn=config"
2022-04-22T08:50:40.501922+00:00 arrakis slapd-2.5-aa[8947]: conn=1026 op=0 BIND dn="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" mech=EXTERNAL bind_ssf=0 ssf=71 2022-04-22T08:50:40.501945+00:00 arrakis slapd-2.5-aa[8947]: conn=1026 op=0 RESULT tag=97 err=0 qtime=0.000009 etime=0.000066 text= 2022-04-22T08:50:40.502151+00:00 arrakis slapd-2.5-aa[8947]: conn=1026 op=1 MOD dn="cn=module{0},cn=config" 2022-04-22T08:50:40.502181+00:00 arrakis slapd-2.5-aa[8947]: conn=1026 op=1 MOD attr=olcModuleLoad 2022-04-22T08:50:40.503892+00:00 arrakis slapd-2.5-aa[8947]: lt_dlopenext failed: (smbkrb5pwd_srv.la) file not found 2022-04-22T08:50:40.503923+00:00 arrakis slapd-2.5-aa[8947]: conn=1026 op=1 RESULT tag=103 err=80 qtime=0.000006 etime=0.001772 text=<olcModuleLoad> handler exited with 1 2022-04-22T08:50:40.504117+00:00 arrakis slapd-2.5-aa[8947]: conn=1026 op=2 UNBIND
(the error message is misleading since file *smbkrb5pwd_srv.la* is really in the modules directory)
I'm wondering if someone has experienced the same issue and was able to overcome it ?
Regards
--On Friday, April 22, 2022 12:47 PM +0200 Abdelkader Chelouah a.chelouah@gmail.com wrote:
I used to build smbkrb5pwd module (https://github.com/opinsys/smbkrb5pwd) under OpenLDAP 2.4 and everything was working as expected. Starting from OpenLDAP 2.5, building the module still succeeds but an error 80 occurs when the module is loaded
I'm wondering if someone has experienced the same issue and was able to overcome it ?
You need to contact the code owner and ask them to update the module for OpenLDAP 2.5+ compatibility. This is not an OpenLDAP issue.
Regards, Quanah
On 22/04/2022 17:38, Quanah Gibson-Mount wrote:
--On Friday, April 22, 2022 12:47 PM +0200 Abdelkader Chelouah a.chelouah@gmail.com wrote:
I used to build smbkrb5pwd module (https://github.com/opinsys/smbkrb5pwd) under OpenLDAP 2.4 and everything was working as expected. Starting from OpenLDAP 2.5, building the module still succeeds but an error 80 occurs when the module is loaded
I'm wondering if someone has experienced the same issue and was able to overcome it ?
You need to contact the code owner and ask them to update the module for OpenLDAP 2.5+ compatibility. This is not an OpenLDAP issue.
Regards, Quanah
I know it is the right approach. However, the source code is no longer maintained (no commit for 6 years) and the code owner is not responding to any request.
Thanks for taking the time to respond.
Regards
--On Friday, April 22, 2022 9:56 PM +0200 Abdelkader Chelouah a.chelouah@gmail.com wrote:
On 22/04/2022 17:38, Quanah Gibson-Mount wrote:
I know it is the right approach. However, the source code is no longer maintained (no commit for 6 years) and the code owner is not responding to any request.
I would suggest forking it and then looking at the commit history in the contrib area for smbk5pwd for the changes that were made to make it compatible with OpenLDAP 2.5+ and similar changes and see if it works.
In particular, I'd examine these commits (although they may not all be related to 2.5+ compat):
d34d2c39457ac1d8b1896c17611e247f87abba55 c06ac436e23520bb765ad67bd702fe629df39ed9 f876eac3d27c5b8b96d07d68c682a27a93587e07 11e5ba23d5718808fc9a6dbc4150d27ff1cf1bb9 94fbd968263765f0ef0b17867216a2d3f33572a4 c62d48ed11288f49634d20ceb6bcc5fd4d8a6c5c
Regards, Quanah
On 22/04/2022 21:15, Quanah Gibson-Mount wrote:
--On Friday, April 22, 2022 9:56 PM +0200 Abdelkader Chelouah a.chelouah@gmail.com wrote:
On 22/04/2022 17:38, Quanah Gibson-Mount wrote:
I know it is the right approach. However, the source code is no longer maintained (no commit for 6 years) and the code owner is not responding to any request.
I would suggest forking it and then looking at the commit history in the contrib area for smbk5pwd for the changes that were made to make it compatible with OpenLDAP 2.5+ and similar changes and see if it works.
In particular, I'd examine these commits (although they may not all be related to 2.5+ compat):
d34d2c39457ac1d8b1896c17611e247f87abba55 c06ac436e23520bb765ad67bd702fe629df39ed9 f876eac3d27c5b8b96d07d68c682a27a93587e07 11e5ba23d5718808fc9a6dbc4150d27ff1cf1bb9 94fbd968263765f0ef0b17867216a2d3f33572a4 c62d48ed11288f49634d20ceb6bcc5fd4d8a6c5c
Regards, Quanah
I forked Opinsys smbkrb5pwd repo and made changes to make it compatible with OpenLDAP 2.5+. All my tests are successful now. Thanks for your support.
https://github.com/achelouah/smbkrb5pwd.git
Regards
On 4/22/22 20:56, Abdelkader Chelouah wrote:
On 22/04/2022 17:38, Quanah Gibson-Mount wrote:
--On Friday, April 22, 2022 12:47 PM +0200 Abdelkader Chelouah a.chelouah@gmail.com wrote:
I used to build smbkrb5pwd module (https://github.com/opinsys/smbkrb5pwd) under OpenLDAP 2.4 and everything was working as expected. Starting from OpenLDAP 2.5, building the module still succeeds but an error 80 occurs when the module is loaded
I'm wondering if someone has experienced the same issue and was able to overcome it ?
You need to contact the code owner and ask them to update the module for OpenLDAP 2.5+ compatibility. This is not an OpenLDAP issue.
I know it is the right approach. However, the source code is no longer maintained (no commit for 6 years) and the code owner is not responding to any request.
But how could others help here except taking over maintenance of the module?
You could take another approach and use back-sock as overlay, configure it to send extended operations (e.g. Password Modify ext. op.) to an external process via Unix domain socket, and let this external process sync the password via kadmind.
https://www.openldap.org/software/man.cgi?query=slapd-sock
I did something like this to sync password changes to MS AD via LDAPS. The code for the external listener implemented in Python is buried into a module package:
https://code.stroeder.com/AE-DIR/ae-dir-pproc/src/branch/main/aedir_pproc/pw...
Did not use the code for a while though. But it can serve as an example how to do it.
Ciao, Michael.
P.S.: No, I won't implement such kadmind support myself. I have no interest in Kerberos in my FLOSS projects.
openldap-technical@openldap.org
-
Abdelkader Chelouah -
Michael Ströder -
Quanah Gibson-Mount