Reply
Highlighted
New Contributor
Posts: 1
Registered: ‎06-27-2017

LDAP vs LDAPS kerberos with AD

[ Edited ]

I've tried enabling kerberos authentication using this :https://www.cloudera.com/documentation/enterprise/5-6-x/topics/cm_sg_intro_kerb.html

My centrify environment does not support LDAPS. SO, I've edited my script to connect to LDAP://:389. But it fails with a protocol error:

ldap_add: Server is unwilling to perform (53)
	additional info: 0000001F: SvcErr: DSID-031A12D2, problem 5003 (WILL_NOT_PERFORM), data 0

So the question is - can I use ldap protocol instead of ldaps to configure kerberos with Active Directory?

 

Explorer
Posts: 17
Registered: ‎08-04-2017

Re: LDAP vs LDAPS kerberos with AD

Hi,

 

I recieved same exact error yesterday when we tried to configure LDAPS Kerberos with AD. 

 

Active Directory if it has some password restrictions to have atleast one special character then we need to ensure they are within approved special characters of cloudera managers. 

 

Allowed special characters are:     ?.!$%^*()-_+=~

 

Just make sure Ldapsearch is returning good. 

 

 

New Contributor
Posts: 1
Registered: ‎06-14-2018

Re: LDAP vs LDAPS kerberos with AD


Hello,

I had a same problem

I'm getting an error when i try to install Ldap and kerberos for a service authentication system, on a Debian 9.4 stretch
-----
I installed the following packages on the same machine (Debian 9.4 stretch):

1)- apt-get install ldap-utils slapd
2)- apt-get install krb5-admin-server krb5-kdc krb5-kdc-ldap
-----------------
When the servers launch, I had this status:

1)- /etc/init.d/slapd status ---> OK
2)- /etc/init.d/krb5-admin-server status ---> OK
3)- /etc/init.d/krb5-kdc status ---> failed!
--------------------

## I use this command, kdb5_ldap_util to create the realm:

kdb5_ldap_util -w "123" \
-D "cn=admin,dc=exemple,dc=com" \
create \
-subtrees "dc=exemple,dc=com" \
-r "EXEMPLE.COM" \
-s \
-H ldapi:///


## And,I use this command, Create a stash of the password used to bind to the LDAP server. This password is used by the ldap_kdc_dn and ldap_kadmin_dn

kdb5_ldap_util -w "123" \
-D "cn=admin,dc=exemple,dc=com" \
stashsrvpw \
-f /etc/krb5kdc/service.keyfile \
"cn=krb-admin,dc=exemple,dc=com"


---------------------------------------------------

Here is the error message ::
----------------------------------------

juin 13 17:27:17 debian slapd[23124]: conn=1014 fd=17 ACCEPT comom PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
juin 13 17:27:17 debian systemd[1]: krb5-kdc.service: Unit entered failed state.
juin 13 17:27:17 debian slapd[23124]: conn=1014 op=0 BIND dn="cn=krb-admin,dc=exemple,dc=com" method=128
juin 13 17:27:17 debian systemd[1]: krb5-kdc.service: Failed with result 'exit-code'.
juin 13 17:27:17 debian slapd[23124]: conn=1014 op=0 BIND dn="cn=krb-admin,dc=exemple,dc=com" mech=SIMPLE ssf=0
juin 13 17:27:17 debian slapd[23124]: conn=1014 op=0 RESULT tag=97 err=0 text=
juin 13 17:27:17 debian slapd[23124]: conn=1015 fd=18 ACCEPT comom PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=0 BIND dn="cn=krb-admin,dc=exemple,dc=com" method=128
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=0 BIND dn="cn=krb-admin,dc=exemple,dc=com" mech=SIMPLE ssf=0
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=0 RESULT tag=97 err=0 text=
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=1 SRCH base="cn=EXEMPLE.COM,cn=krb-admin,dc=exemple,dc=com" scope=0 deref=0 filter="(?objectClass=krb
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=1 SRCH attr=krbSearchScope krbSubTrees krbPrincContainerRef krbMaxTicketLife krbMaxRenewableAge k
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
juin 13 17:27:17 debian slapd[23124]: conn=1015 op=2 UNBIND
juin 13 17:27:17 debian slapd[23124]: conn=1015 fd=18 closed
juin 13 17:27:17 debian slapd[23124]: conn=1014 op=1 UNBIND
juin 13 17:27:17 debian slapd[23124]: conn=1014 fd=17 closed
juin 13 17:27:17 debian slapd[23124]: conn=1013 op=1 UNBIND
juin 13 17:27:17 debian slapd[23124]: conn=1013 fd=16 closed
juin 13 17:27:17 debian slapd[23124]: conn=1012 op=1 UNBIND
juin 13 17:27:17 debian slapd[23124]: conn=1012 fd=15 closed
juin 13 17:27:17 debian slapd[23124]: conn=1011 op=1 UNBIND
juin 13 17:27:17 debian slapd[23124]: conn=1011 fd=12 closed
---------------------------------------------------------------------------------------------


And here are my configuration files


## *******************************== etc/krb5.conf ==*************************************
[libdefaults]
default_realm = EXEMPLE.COM
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
ticket_lifetime = 525600

[realms]
EXEMPLE.COM = {
kdc = debian.exemple.com
admin_server = debian.exemple.com
default_domain = exemple.com
database_module = openldap_ldapconf
}

[domain_realm]
.exemple.com = EXEMPLE.COM
exemple.com = EXEMPLE.COM


[login]
krb4_convert = true
krb4_get_tickets = false

[logging]
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
default = SYSLOG:INFO:DAEMON

 

[kdc]
profile = /etc/krb5kdc/kdc.conf


[dbdefaults]

ldap_kerberos_container_dn = cn=krb-admin,dc=exemple,dc=com

[dbmodules]
openldap_ldapconf = {
db_library = kldap
ldap_kdc_dn = "cn=krb-admin,dc=exemple,dc=com"
ldap_kadmind_dn = "cn=krb-admin,dc=exemple,dc=com"
ldap_service_password_file = /etc/krb5kdc/service.keyfile
ldap_cert_path = /etc/ssl/certs/
ldap_servers = ldapi:///
ldap_conns_per_server = 5
}
## ****************************************************************************************

## *******************************== /etc/krb5kdc/kdc.conf ==******************************
[kdcdefaults]
kdc_ports = 750,88

[realms]
EXEMPLE.COM = {
database_name = /var/lib/krb5kdc/principal
admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
acl_file = /etc/krb5kdc/kadm5.acl
key_stash_file = /etc/krb5kdc/service.keyfile
kdc_ports = 750,88
max_life = 365d 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = aes256-cts:normal arcfour-hmac:normal des3-hmac-sha1:normal
des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:$
default_principal_flags = +preauth
}
## ****************************************************************************************

variables
----------------------------
SERVER: debian.exemple.com
DOMAIN: exemple.com
REALM: EXEMPLE.COM
LDAPROOT: dc=exemple,dc=com

------------------------------------------------


the ldap database

## oooooooooooooooooooooooooo the base of LDAP ooooooooooooooooooooooooooooooooooooooooooooooooo
dn: dc=exemple,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: exemple.com
dc: exemple
structuralObjectClass: organization
entryUUID: 26b57a60-036d-1038-8abe-d739c4db7b16
creatorsName: cn=admin,dc=exemple,dc=com
createTimestamp: 20180613154950Z
entryCSN: 20180613154950.654216Z#000000#000#000000
modifiersName: cn=admin,dc=exemple,dc=com
modifyTimestamp: 20180613154950Z

dn: cn=admin,dc=exemple,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9ZjBTSzg0Q0g1djR6Y2txSm0waWFERXI4RDBMVTVYRjY=
structuralObjectClass: organizationalRole
entryUUID: 26b61920-036d-1038-8abf-d739c4db7b16
creatorsName: cn=admin,dc=exemple,dc=com
createTimestamp: 20180613154950Z
entryCSN: 20180613154950.658340Z#000000#000#000000
modifiersName: cn=admin,dc=exemple,dc=com
modifyTimestamp: 20180613154950Z

dn: cn=krb-admin,dc=exemple,dc=com
cn: krb-admin
objectClass: organizationalRole
objectClass: simpleSecurityObject
userPassword:: e1NIQX1RTDBBRldNSVg4TlJaVEtlb2Y5Y1hzdmJ2dTg9
structuralObjectClass: organizationalRole
entryUUID: 83d559c8-0371-1038-8427-4919d7f0168c
creatorsName: cn=admin,dc=exemple,dc=com
createTimestamp: 20180613162104Z
entryCSN: 20180613162104.878174Z#000000#000#000000
modifiersName: cn=admin,dc=exemple,dc=com
modifyTimestamp: 20180613162104Z

dn: ou=groups,dc=exemple,dc=com
objectClass: organizationalUnit
ou: groups
structuralObjectClass: organizationalUnit
entryUUID: 83da5bda-0371-1038-8428-4919d7f0168c
creatorsName: cn=admin,dc=exemple,dc=com
createTimestamp: 20180613162104Z
entryCSN: 20180613162104.911009Z#000000#000#000000
modifiersName: cn=admin,dc=exemple,dc=com
modifyTimestamp: 20180613162104Z

dn: ou=users,dc=exemple,dc=com
objectClass: organizationalUnit
ou: users
structuralObjectClass: organizationalUnit
entryUUID: 83dabbd4-0371-1038-8429-4919d7f0168c
creatorsName: cn=admin,dc=exemple,dc=com
createTimestamp: 20180613162104Z
entryCSN: 20180613162104.913467Z#000000#000#000000
modifiersName: cn=admin,dc=exemple,dc=com
modifyTimestamp: 20180613162104Z

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

 

 

 

 

Posts: 1,042
Topics: 1
Kudos: 262
Solutions: 130
Registered: ‎04-22-2014

Re: LDAP vs LDAPS kerberos with AD

@nounou,

 

Your issue is not the same as the one in this thread.

The issue you describe is regarding the configuration of an LDAP backend for an MIT Kerberos KDC.

While there may be some in the Cloudera community who can assist with this issue, it is outside the scope/control of Cloudera Manager.

 

I recommend investigating and discussing the issue with the MIT Kerberos community:

 

https://web.mit.edu/kerberos/mail-lists.html

Announcements