Support Questions
Find answers, ask questions, and share your expertise

KDC - OpenLdap integration

KDC - OpenLdap integration

Expert Contributor

Hi All,

While trying the KDC - Openldap integration based on below steps

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-OpenLDAP-KDC-integration.md

facing below issue

[root@sandbox krb5kdc]# kdb5_ldap_util -D "cn=$LDAP_ADMIN_USER,dc=hortonworks,dc=com" create -subtrees "ou=kerberos,dc=hortonworks,dc=com" -r HORTONWORKS.COM -s -H ldapi:/// Password for "cn=admin,dc=hortonworks,dc=com": Initializing database for realm 'HORTONWORKS.COM' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: Kerberos container is missing. Creating now... kdb5_ldap_util: Kerberos Container create FAILED: Object class violation while creating realm 'HORTONWORKS.COM'

Thanks for any help.

Avijeet

7 REPLIES 7

Re: KDC - OpenLdap integration

Contributor

Re: KDC - OpenLdap integration

Expert Contributor

Hi Eric,

my question was for KDC-OpenLDAP integration, my OpenLDAP setup is done.

Thanks,

Avijeet

Re: KDC - OpenLdap integration

Contributor

As the failure occurs while trying to add KDC Entries to your LDAP, you should make sure your LDAP is setup correctly. Are there any errors in the OpenLDAP server logs? That may be revealing...

Re: KDC - OpenLdap integration

Expert Contributor

Hi Erik,

The error is something as below - I think the instructions in the link create cn=kerberos but while creating subtree ou=kerberos It complaints of object class violation. at this step

db5_ldap_util -D "cn=$LDAP_ADMIN_USER,dc=hortonworks,dc=com" create -subtrees "ou=kerberos,dc=hortonworks,dc=com" -r HORTONWORKS.COM -s -H ldapi:///

now the krb5kdc, kadmin services also don't start.

https://github.com/abajwa-hw/security-workshops/blob/master/Setup-OpenLDAP-KDC-integration.md

Jun 24 06:16:53 sandbox slapd[19821]: >>> dnPrettyNormal: <ou=kerberos,dc=hortonworks,dc=com> Jun 24 06:16:53 sandbox slapd[19821]: <<< dnPrettyNormal: <ou=kerberos,dc=hortonworks,dc=com>, <ou=kerberos,dc=hortonworks,dc=com> Jun 24 06:16:53 sandbox slapd[19821]: SRCH "ou=kerberos,dc=hortonworks,dc=com" 0 0 Jun 24 06:16:53 sandbox slapd[19821]: 0 300 0 Jun 24 06:16:53 sandbox slapd[19821]: begin get_filter Jun 24 06:16:53 sandbox slapd[19821]: EQUALITY Jun 24 06:16:53 sandbox slapd[19821]: end get_filter 0 Jun 24 06:16:53 sandbox slapd[19821]: filter: (objectClass=krbContainer) Jun 24 06:16:53 sandbox slapd[19821]: attrs: Jun 24 06:16:53 sandbox slapd[19821]: krbTicketPolicyReference Jun 24 06:16:53 sandbox slapd[19821]: Jun 24 06:16:53 sandbox slapd[19821]: conn=2272 op=1 SRCH base="ou=kerberos,dc=hortonworks,dc=com" scope=0 deref=0 filter="(objectClass=krbContainer)" Jun 24 06:16:53 sandbox slapd[19821]: conn=2272 op=1 SRCH attr=krbTicketPolicyReference Jun 24 06:16:53 sandbox slapd[19821]: => bdb_search Jun 24 06:16:53 sandbox slapd[19821]: bdb_dn2entry("ou=kerberos,dc=hortonworks,dc=com") Jun 24 06:16:53 sandbox slapd[19821]: => bdb_dn2id("ou=kerberos,dc=hortonworks,dc=com") Jun 24 06:16:53 sandbox slapd[19821]: <= bdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found (-30988) Jun 24 06:16:53 sandbox slapd[19821]: => access_allowed: disclose access to "dc=hortonworks,dc=com" "entry" requested Jun 24 06:16:53 sandbox slapd[19821]: <= root access granted Jun 24 06:16:53 sandbox slapd[19821]: => access_allowed: disclose access granted by manage(=mwrscxd) Jun 24 06:16:53 sandbox slapd[19821]: send_ldap_result: conn=2272 op=1 p=3 Jun 24 06:16:53 sandbox slapd[19821]: send_ldap_result: err=10 matched="dc=hortonworks,dc=com" text=""

Thanks,

avijeet

Re: KDC - OpenLdap integration

Expert Contributor

I was able to resolve this issue by using cn=Kerberos insteda of ou in krb5.conf and below

kdb5_ldap_util -D "cn=Manager,dc=example,dc=com" create -subtrees "cn=kerberos,dc=example,dc=com" -r EXAMPLE.COM -s -H ldapi:///

However I don't see the existing LDAP users in my kadmin.local

for example: there is a user under ou=People, dc=example,dc=com

How does that user automatically becomes a principal in KDC?

Or all KDC users have to be created through addprinc?

Thanks,

Avijeet

Re: KDC - OpenLdap integration

Expert Contributor

@Sagar Shimpi

Hi Sagar, can you please guide on this issue. Thanks, Avijeet

Re: KDC - OpenLdap integration

Contributor

@Avijeet Dash @Sagar Shimpi

Have you been able to see the users created through openldap using kadmin.local as i am also facing same thing...

As we already have an openldap in our environment , want to integrate it with new KDC server..