Kerberos with LDAP backend still using db2

Question

I've installed and configured LDAP, installed and configured kerberos to use LDAP as the backend, as follows:

[dbdefaults]
    ldap_kerberos_container_dn = dc=voltage,dc=com

[dbmodules]
    openldap_ldapconf = {
            db_library = kldap
            ldap_kdc_dn = "cn=admin,dc=voltage,dc=com"

            # this object needs to have read rights on
            # the realm container, principal container and realm sub-trees
            ldap_kadmind_dn = "cn=admin,dc=voltage,dc=com"

            # this object needs to have read and write rights on
            # the realm container, principal container and realm sub-trees
            ldap_service_password_file = /etc/krb5kdc/service.keyfile
            ldap_servers = ldap://ldap.voltage.com
            ldap_conns_per_server = 5
    }

However when I go into kadmin.local and try:

addprinc -x dn="uid=sam,ou=ssn,dc=voltage,dc=com" sam

I get

add_principal: Unsupported argument "dn=uid=sam,ou=ssn,dc=voltage,dc=com" for db2 while creating "sam@VOLTAGE.COM".

which means kadmin is trying to add the principal to db2 and not the LDAP backend, right?

I've also done:

sudo kdb5_ldap_util -D  cn=admin,dc=example,dc=com create -subtrees \
dc=example,dc=com -r EXAMPLE.COM -s -H ldap://ldap01.example.com

sudo kdb5_ldap_util -D  cn=admin,dc=example,dc=com stashsrvpw -f \
/etc/krb5kdc/service.keyfile cn=admin,dc=example,dc=com

after renaming example to voltage of course and both commands ran successfully and showed that the new REALM was created

Any help is appreciated

Mark · Answer 1 · 2012-10-09T04:14:04.573

I was getting the same error until I updated both my /etc/krb5.conf and /var/kerberos/krb5kdc/kdc.conf adding the database_module under the realms section and adding the dbdefaults and dbmodules sections. I'm using RHEL 6, Below are examples based on my krb5.conf and kdc.conf.

/etc/krb5.conf

 [logging]
   default = FILE:/var/log/krb5libs.log
   kdc = FILE:/var/log/krb5kdc.log
   admin_server = FILE:/var/log/kadmind.log

  [libdefaults]
   default_realm = VOLTAGE.COM
   dns_lookup_realm = false
   dns_lookup_kdc = false
   ticket_lifetime = 24h
   renew_lifetime = 7d
   forwardable = true

  [realms]
   VOLTAGE.COM = {
    kdc = server1.voltage.com
    admin_server = server1.voltage.com
    default_domain = voltage.com
    database_module = openldap_ldapconf
   }

  [domain_realm]
   .voltage.com = VOLTAGE.COM
   voltage.com = VOLTAGE.COM

  [appdefaults]
   pam = {
     debug = false
     ticket_lifetime = 36000
     renew_lifetime = 36000
     forwardable = true
     krb4_convert = false
   }

  [dbdefaults]
   ldap_kerberos_container_dn = dc=voltage,dc=com

  [dbmodules]
   openldap_ldapconf = {
       db_library = kldap
       ldap_kdc_dn = "cn=admin,dc=voltage,dc=com"
       ldap_kadmind_dn = "cn=admin,dc=voltage,dc=com"
       ldap_service_password_file = /var/kerberos/krb5kdc/service.keyfile
       ldap_servers = ldaps://ldap.voltage.com 
       ldap_conns_per_server = 5
  }

/var/kerberos/krb5kdc/kdc.conf

  [kdcdefaults]
   kdc_ports = 88
   kdc_tcp_ports = 88

  [realms]
   VOLTAGE.COM = {
    database_module = openldap_ldapconf
    master_key_type = aes256-cts
    key_stash_file = /var/kerberos/krb5kdc/.k5.VOLTAGE.COM
    acl_file = /var/kerberos/krb5kdc/kadm5.acl
    dict_file = /usr/share/dict/words
    admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
    supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
   }

  [dbdefaults]
   ldap_kerberos_container_dn = dc=voltage,dc=com

  [dbmodules]
   openldap_ldapconf = {
       db_library = kldap
       ldap_kdc_dn = "cn=admin,dc=voltage,dc=com"
       ldap_kadmind_dn = "cn=admin,dc=voltage,dc=com"
       ldap_service_password_file = /var/kerberos/krb5kdc/service.keyfile
       ldap_servers = ldaps://ldap.voltage.com
       ldap_conns_per_server = 5
}

Then restart the kerberos server process and add your user principles.

Hope that helps!

score 1 · Answer 2 · answered Jan 18 '14 at 15:42

Maybe you are missing "database_module = openldap_ldapconf" in your realm

[realms]
    BEISPIEL.DE = {
            kdc = kdc01.beispiel.de
            kdc = kdc02.beispiel.de
            admin_server = kdc01.beispiel.de
            admin_server = kdc02.beispiel.de
            default_domain = beispiel.de
            database_module = openldap_ldapconf    # MISSING!?!?!?!
    }

Kerberos with LDAP backend still using db2

2 Answers2