On Tue, Jul 13, 2010 at 10:10:25PM +0200, Henrik /KaarPoSoft wrote:
I have a problem: ldapsearch results in "Segmentation fault" under
openldap-2.4.23 with cyrus-sasl-2.1.23.
[...]
Jeremy Chadwick wrote:
If I was to build a test box from scratch, can you tell me how to set up
all the necessary software/etc. to mimic your environment so that I
could try to reproduce this? Reviewing the source isn't enough, I'd
have to actually build a debug version of libgssapi to track it down.
Jeremy, I would really appreciate your going through this!
Thank you very much in advance.
Here is what I did:
FreeBSD 8.0 vanilla install
hostname: srv02.example.lan
freebsd-update fetch
freebsd-update install
Create self-signed "CA" cert, and create SSL cert for LDAP signed by this.
References:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/openssl.html
http://forums.freebsd.org/showthread.php?t=6490
http://www.freebsdmadeeasy.com/tutorials/freebsd/create-a-ca-with-openssl.php
pkg_add -r heimdal
cat >> /etc/rc.conf
kerberos5_server_enable="YES"
kadmind5_server_enable="YES"
cat > /etc/krb5.conf
[libdefaults]
default_realm = EXAMPLE.LAN
kstash
kadmin -l
kadmin> init EXAMPLE.LAN
kadmin> add TestOne
kadmin> list "*"
/etc/rc.d/kerberos start
/etc/rc.d/kadmind start
Add to nameserver:
kerberos.example.lan CNAME srv02.example.lan
ldap.example.lan CNAME srv02.example.lan
_kerberos IN TXT kerberos.example.lan
_kerberos._udp.example.lan. IN SRV 0 0 88 kerberos.example.lan.
_kerberos._tcp.example.lan. IN SRV 0 0 88 kerberos.example.lan.
_kerberos-adm._tcp.example.lan. IN SRV 0 0 749 kerberos.example.lan.
_kpasswd._udp.example.lan. IN SRV 0 0 464 kerberos.example.lan.
cd /usr/ports
portsnap fetch
portsnap extract
(and subsequently portsnap fetch update)
cd /usr/ports/security/cyrus-sasl2
make config
[X] Berkeley DB
[X] /dev/urandom
make
make install
cd /usr/ports/net/openldap24-sasl-client
make
make install
cd /usr/ports/net/openldap24-server
make config
[x] SASL
make
cat >> /etc/rc.conf
slapd_enable="YES"
slapd_flags="-h ldaps:///"
touch /var/db/openldap-data/DB_CONFIG
srv02# diff /usr/local/etc/openldap/slapd.conf.ORIG
/usr/local/etc/openldap/slapd.conf
48a50,80
>
> #######################################################################
> # EXAMPLE
> #######################################################################
>
> #=# Shemas we need
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
>
> #=# Logging
> loglevel stats stats2 shell parse ACL config filter BER conns
>
>
> #=# GSSAPI mapping
> #=# http://www.openldap.org/doc/admin24/sasl.html#GSSAPI
> #=# http://www.openldap.org/doc/admin24/sasl.html#Mapping
Authentication Identities
>
> authz-regexp
> uid=([^,]*),cn=example.lan,cn=gssapi,cn=auth
> uid=$1,ou=Users,dc=example,dc=lan
>
>
> #=# LDAP over TSL (SSL)
> #=# http://www.openldap.org/doc/admin24/tls.html
>
> security ssf=128
> TLSCertificateFile /etc/exampleCA/certs/ldap.pem
> TLSCertificateKeyFile /etc/exampleCA/private/ldap.pem
> TLSCACertificateFile /etc/exampleCA/certs/example.pem
>
54,55c86,93
< suffix "dc=my-domain,dc=com"
< rootdn "cn=Manager,dc=my-domain,dc=com"
---
>
> #=# The example Network
> suffix "dc=example,dc=lan"
>
> #=# The rootdn user, authenticated by Kerberos
> #=# http://www.openldap.org/doc/admin24/sasl.html#GSSAPI
> rootdn "uid=LDAProot,cn=example.lan,cn=gssapi,cn=auth"
>
59c97,99
< rootpw secret
---
>
> #=# Since rootdn is authenticated by Kerberos, we do not need rootpw
> #rootpw secret
65a106
Add domain and a few users with slapadd
cat >> /usr/local/etc/openldap/ldap.conf
base dc=example,dc=lan
uri ldaps://ldap.example.lan/
tls_cacert /etc/exampleCA/cacert.pem
_______________________________________________
freebsd-stable@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
