# Heimdal / OpenLDAP and FreeBSD 8.2



## streetfighter12 (Oct 24, 2011)

Hi,

I have a small problem with Heimdal. I'm setting up a server with openldap/kerberos. At first I have installed the Heimdal port with OpenLDAP backend. Then I have created the krb5.conf.


```
[libdefaults]
	default_realm = EXAMPLE.DE

[kdc]
	database = 	{
			dbname = ldap:ou=people,dc=example,dc=de
			hdb-ldap-structural-object = inetOrgPerson
			mkey_file = /var/heimdal/mkey
			acl_file = /var/heimdal/kadmind.acl
			}
```

The problem is, if I am starting the kerberos service I get the following error:


```
kadmin: error trying to load dynamic module /usr/lib/hdb_ldap.so: Cannot open "/usr/lib/hdb_ldap.so"

kadmin: No database support for ldap:ou=people,dc=example,dc=de
```

I don't understand this, because I have build it with the openldap backend. And I can't find this lib on the system. Does anyone have any idea how I can solve this problem.

streetfighter12


----------



## streetfighter12 (Oct 25, 2011)

Okay, I resolved the problem own my own. I always was starting the Heimdal which was shipped with the base system.

If I am starting heimdal out of /usr/local/libexec/kdc I don't get the error: 
	
	



```
Trying to load dynamic module
```
 anymore.


----------



## streetfighter12 (Oct 25, 2011)

But now I have another problem. If I am running the *ldapwhoami* command Heimdal say: 
	
	



```
Request with wrong krbtgt.
```

You can find below my log and config files.

Logs:

*ldapwhoami*

```
ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
	additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text)
 (unknown mech-code 2529638947 for mech unknown)
```

/var/heimdal/kdc.log

```
2011-10-25T10:03:20 label: default
2011-10-25T10:03:20 	dbname: ldap:ou=people,dc=example,dc=de
2011-10-25T10:03:20 	mkey_file: /var/heimdal/m-key
2011-10-25T10:03:20 	acl_file: /var/heimdal/kadmind.acl
2011-10-25T10:03:20 KDC started
2011-10-25T10:03:30 TGS-REQ user1@EXAMPLE.DE from IPv4:10.0.1.2 for ldap/kerberos.example.de.@example.de
2011-10-25T10:03:30 Request with wrong krbtgt: krbtgt/EXAMPLE.DE@EXAMPLE.DE
2011-10-25T10:03:30 Failed building TGS-REP to IPv4:10.0.1.2
```

Config:

slapd.conf

```
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include		/usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/openldap.schema
include         /usr/local/etc/openldap/schema/kerberos.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/var/run/openldap/slapd.pid
argsfile	/var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath	/usr/local/libexec/openldap
moduleload	back_bdb
# moduleload	back_hdb
# moduleload	back_ldap

# Sample security restrictions
#	Require integrity protection (prevent hijacking)
#	Require 112-bit (3DES or better) encryption for updates
#	Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

#TLSCertificateFile      /usr/local/etc/openldap/keys/cert.crt
#TLSCertificateKeyFile   /usr/local/etc/openldap/keys/cert.key
#TLSCACertificateFile    /usr/local/etc/openldap/keys/cacert.crt

sasl-secprops minssf=0

sasl-host kerberos.example.de 
sasl-realm EXAMPLE.DE

access to dn.subtree="ou=people,dc=example,dc=de"
	by users write
	by * read

access to *
	by * read

# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#	by self write
#	by users read
#	by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database	bdb
suffix		"dc=example,dc=de
rootdn "cn=admin,dc=example,dc=de
rootpw secret
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory	/var/db/openldap-data
# Indices to maintain
index	objectClass	eq
index	cn			eq,sub,pres
index	uid			eq,sub,pres
index	displayName		eq,sub,pres
index	krb5PrincipalName	eq
```

krb5.conf

```
[libdefaults]
	default_realm = EXAMPLE.DE

[kdc]
	database = 	{
			dbname = ldap:ou=people,dc=example,dc=de
			hdb-ldap-structural-object = inetOrgPerson
			mkey_file = /var/heimdal/m-key
			acl_file = /var/heimdal/kadmind.acl
			}
```

Do you see there anything what is wrong or does anyone know how to resolve my problem? If I find a solution for this I will post this immediately.

streetfighter12


----------



## streetfighter12 (Oct 30, 2011)

It give some news. If I am using the heimdal version from the base system, the authentication is working (without OpenLDAP as Database backend).

See *ldapwhoami*:

```
SASL/GSSAPI authentication started
SASL username: user@EXAMPLE.DE
SASL SSF: 56
SASL data security layer installed.
dn:uid=user,cn=example.de,cn=gssapi,cn=auth
```

kdc.log:

```
2011-10-30T09:42:44 AS-REQ user@EXAMPLE.DE from IPv4:10.0.1.2 for krbtgt/EXAMPLE.DE@EXAMPLE.DE
2011-10-30T09:42:44 Client sent patypes: encrypted-timestamp
2011-10-30T09:42:44 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5,
 arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc
2011-10-30T09:43:16 TGS-REQ user@EXAMPLE.DE from IPv4:10.0.1.2 for krbtgt/example.de@EXAMPLE.DE
2011-10-30T09:43:16 TGS-REQ user@EXAMPLE.DE from IPv4:10.0.1.2 for ldap/server1.example.de
2011-10-30T09:43:16 cross-realm EXAMPLE.DE -> example.de
```

But that is not what I am won't. I don't understand the problem. What mean's _"Request with wrong krbtgt: krbtgt/EXAMPLE.DE@EXAMPLE.DE"_?

Has anyone a working setup with heimdal and openldap as backend? Which version do you use? Can you share your config files with me?

Streetfighter12


----------



## streetfighter12 (Oct 31, 2011)

It's so funny... I have download the actual version of heimdal(1.5) and complimed it at my own. Configured it by the ./configure --with-openldap=/usr/local command.

And what could I am say it worked(working configs see my third post)!

Thanks

streetfighter12


----------

