Re: LDAP -> Heimdal -> LDAP

On Sun, 2005-02-27 at 16:18 -0800, Howard Chu wrote:

> The smbk5pwd plugin in OpenLDAP CVS (also in release 2.3) will help keep 
> Kerberos, Samba, and LDAP sumple binds synchronized, you should look 
> into using it. Oddly enough, I wrote this module at Andrew Bartlett's 
> request but it appears that he's not using it.

And for that I do wish to apologise - it's been a bit of a mess, and I
did never follow up on my side of the bargain (to test and assist with
the module).

On a positive note, for my Samba4 work, I need to allow a 'password set'
operation into hdb, and I hope to use the same infrastructure to call
the OpenLDAP password set, for the benefit of this module.  

At Hawker, I just use the NT and LM passwords for now.

Andrew Bartlett

--

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net

Re: Unable to change expired Kerberos passwords on Windows XP

Dave Love wrote:

>Priit Randla <priit.randla <at> eyp.ee> writes:
>
>  
>
>>Password change for those users works also on Windows, if the password
>>isn't expired.
>>    
>>
>
>What setup are you using to make this work?  Password change from the
>normal Windows panel that you get with ctrl-alt-del doesn't work at
>all for me with pass-through logon to Heimdal 0.6.3, and Love told me
>it needed fixing.
>  
>
    Well, quite usual cross-realm-with AD setup. Usual SuSe SLES with 
heimdal 0.6.1rc3.
Just tried again and indeed, when user 'Aix' has his password expired, 
he can't change it on login.
When password is expired, username has to be written as user <at> REALM. If 
the user is already logged in and
simply presses c-a-d -> 'change password', username has to be left as is 
-> simply 'username'
Works for me.

Regards,
Priit

newbie problem initializing realm with ldap backend

hi, i'm following http://www.openinput.com/auth-howto/index.html 
skipping posix Accounts and Groups creation (for now).

but:
kadmin> init CONOSURSEGUROS.CL
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin: kadm5_create_principal: ldap_add_s: default <at> conosurseguros.cl 
(dn=cn=default <at> conosurseguros.cl,ou=kerberos,dc=conosurseguros,dc=cl) 
Invalid syntax

after hours of reading and re-doing everything from zero i keep getting 
this syntax error.... how can i know where is it? _please_

i created that ou= using:
# Kerberos only principals (admin accounts, hosts,...)
dn: ou=kerberos,dc=conosurseguros,dc=cl
objectClass: organizationalUnit
objectClass: top
ou: kerberos
description: Kerberos only principals

krb5-kdc.schema from:
http://www.stanford.edu/services/directory/openldap/configuration/krb5-kdc.schema

and my krb5.conf is:
[libdefaults]
         ticket_lifetime = 600
         default_realm = CONOSURSEGUROS.CL
         default_etypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5

changepw attributes (for use with Windows)

I've realized that the reason that the Windows password-changing
protocol didn't work for me with pass-through login is just that the
kadmin/changepw principal has disallow-forwardable in the attributes
set up by kadmin init -- the request from Windows XP is for a
forwardable one.  I'm surprised others don't have the same problem.

Removing the attribute solves the problem.  Is removing it a bad thing
to do generally?

Openldap simple bind

	Hello  

	I've been working on Central Authentication Server
with SASL/GSSAPI and OpenLDAP simple bind authentication using
kerberos key server.
	The SASL/GSSAPI authentication is working. However, I've defined 
userPassword as {SASL}principal <at> REALM ( and {KERBEROS}principal <at> REALM ) 
for simple bind and the test doesn't work.
	By saslauthd debug, the OpenLDAP doesn't call the 
saslauthd/kerberos... :-/ 

	I had changed  userPassword to "teste123" and it worked perfectly.

        I'm using FreeBSD 5.3 with OpenLDAP 2.2.23, Heimdal 
0.6.3 ( with openldap backend) and cyrus-sasl-saslauthd 2.1.20.

	I've been working through the docs at
http://www.opentechnet.com/auth-howto/
http://www.bayour.com/LDAPv3-HOWTO.html
	and 
http://www.openldap.org/lists/openldap-software/200308/msg00158.html
http://www.openldap.org/lists/openldap-software/200502/msg00470.html

        Do you have any clues?

        Thanks in advance for any help!

        Aguinaldo

---------------

Re: Openldap simple bind

Re: Openldap simple bind

	Hello

On Wed, Mar 09, 2005 at 11:36:02AM -0500, Jonathan Higgins wrote:
> couple of things.. 
>  
> the --with-kerberos and --enable-kpasswd are not necessary..
> 
> the {KERBEROS}principal is not needed..

        ok, I'll remove this flags
>  
> for sasl you need to run the saslauthd daemon and saslauthd needs to know about slapd.. in
/usr/local/lib/sasl2 you need a slapd.conf file that contains:
> pwcheck_method: saslauthd
> saslauthd_path: /usr/local/sbin/mux

	I've configured /usr/local/lib/sasl2/slapd.conf like you told, 
but it still doesn't work.

/usr/local/lib/sasl2/slapd.conf:
pwcheck_method:saslauthd
saslauthd_path:/var/state/saslauthd
# saslauthd_path:/var/state/saslauthd/mux
keytab:/etc/ldap.keytab

>  
> there are some other pieces out there that can help you with heimdal+openldap.  check the contrib section
under sources on the openldap.org site.

	I'll try the pw-kerberos too.

	Thanks for your help and tips.

	Aguinaldo

[...]
>  
> good luck.
>  
>  
>  
>  
> Jonathan Higgins
> IT R&D Project Manager
> Kennesaw State University
> jhiggins <at> kennesaw.edu
> 
> 
> >>> Marcos Aguinaldo Forquesato <guina <at> ccuec.unicamp.br> 3/9/2005 9:04:09 AM >>>
> 
>     Hello  
> 
>     I've been working on Central Authentication Server
> with SASL/GSSAPI and OpenLDAP simple bind authentication using
> kerberos key server.
>     The SASL/GSSAPI authentication is working. However, I've defined 
> userPassword as {SASL}principal <at> REALM ( and {KERBEROS}principal <at> REALM ) 
> for simple bind and the test doesn't work.
>     By saslauthd debug, the OpenLDAP doesn't call the 
> saslauthd/kerberos... :-/ 
> 
>     I had changed  userPassword to "teste123" and it worked perfectly.
> 
>         I'm using FreeBSD 5.3 with OpenLDAP 2.2.23, Heimdal 
> 0.6.3 ( with openldap backend) and cyrus-sasl-saslauthd 2.1.20.
> 
>     I've been working through the docs at
> http://www.opentechnet.com/auth-howto/
> http://www.bayour.com/LDAPv3-HOWTO.html
>     and 
> http://www.openldap.org/lists/openldap-software/200308/msg00158.html
> http://www.openldap.org/lists/openldap-software/200502/msg00470.html
> 
>         Do you have any clues?
> 
>         Thanks in advance for any help!
> 
>         Aguinaldo
> 
> 
> ---------------
> 
> # ldapwhoami -Y EXTERNAL -H ldapi:///
> SASL/EXTERNAL authentication started
> SASL username: uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn:cn=ldapadmin <at> unicamp.br,ou=kerberos,dc=unicamp,dc=br
> 
> %ldapwhoami
> SASL/GSSAPI authentication started
> SASL username: chico <at> UNICAMP.BR
> SASL SSF: 56
> SASL installing layers
> dn:cn=chico silva,ou=kerberos,dc=unicamp,dc=br
> 
> %ldapsearch -ZZ -H ldap:// -b "" -s base -LLL supportedSASLMechanisms
> %SASL/GSSAPI authentication started
> SASL username: chico <at> UNICAMP.BR
> SASL SSF: 56
> SASL installing layers
> dn:
> supportedSASLMechanisms: NTLM
> supportedSASLMechanisms: LOGIN
> supportedSASLMechanisms: PLAIN
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: CRAM-MD5
> 
> %/usr/local/sbin/testsaslauthd -u chico -p teste123 -r UNICAMP.BR -s
> %ldap -f /var/state/saslauthd/mux
> 0: OK "Success."
> 
> OpenLDAP - config:
> /usr/ports/net/openldap23-sasl-server/work/openldap-2.2.23
> # ./configure  --with-threads=posix --with-tls=openssl --with-kerberos
> # --enable-kpasswd --enable-dynamic --with-cyrus-sasl
> # --localstatedir=/var/db --enable-ldbm=yes --enable-crypt
> # --enable-lmpasswd --enable-ldap=yes --enable-meta=yes --enable-rewrite
> # --enable-null=yes --enable-monitor=yes --enable-bdb=yes
> # --enable-hdb=yes --with-ldbm-api=berkeley --enable-spasswd
> # --enable-wrappers --prefix=/usr/local --build=i386-portbld-freebsd5.3
> 
> --
> Marcos Aguinaldo Forquesato             email:guina at ccuec.unicamp.br
> Centro de Computação                    HP:http://www.ccuec.unicamp.br/
> Universidade Estadual de Campinas (UNICAMP)
> 
> 
> 

krb5key heimdal+ldap

Hi, 
I'm using openldap and kerberos Heimdal on my system.
But in my network the users only change their
passwords throught some internal website. I don't now
how to create krb5key entries that contains the
kerberos passwords, the krb5key entries are defined in
krb5kdc schema.

A need a tool that will receive the password ( in
clear text maybe or other
format) and return the password in the kerberos
(heimdal) format (des-cbc-sha1
des-cbc-md5 ...)

Thanks 

Gessy Jr.

	
	
		
_______________________________________________________ 
Yahoo! Acesso Grátis - Instale o discador do Yahoo! agora. http://br.acesso.yahoo.com/ - Internet
rápida e grátis

Re: krb5key heimdal+ldap

Gessy Caetano wrote:
> Hi, 
> I'm using openldap and kerberos Heimdal on my system.
> But in my network the users only change their
> passwords throught some internal website. I don't now
> how to create krb5key entries that contains the
> kerberos passwords, the krb5key entries are defined in
> krb5kdc schema.
> 
> A need a tool that will receive the password ( in
> clear text maybe or other
> format) and return the password in the kerberos
> (heimdal) format (des-cbc-sha1
> des-cbc-md5 ...)
> 
No, you need the smbk5pwd module that is part of the OpenLDAP contrib 
directory, which extends LDAP PasswordModify operations to update the 
krb5Key attribute at the same time as the userPassword attribute. And 
you need your website to use the LDAP PasswordModify operation when 
changing a user's password.

--

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.       Director, Highland Sun
   http://www.symas.com               http://highlandsun.com/hyc
   Symas: Premier OpenSource Development and Support

Re: krb5key heimdal+ldap

> I'm using openldap and kerberos Heimdal on my system.
> But in my network the users only change their
> passwords throught some internal website. I don't now
> how to create krb5key entries that contains the
> kerberos passwords, the krb5key entries are defined in
> krb5kdc schema.> 
> A need a tool that will receive the password ( in
> clear text maybe or other
> format) and return the password in the kerberos
> (heimdal) format (des-cbc-sha1
> des-cbc-md5 ...)

Simply change the password via the change-password extended operation.  The DSA
will do all the work for you if you have loaded/configured the correct
overlays.