OpenLDAP Faq-O-Matic : Trash : Copy of Is there an alternative to {KERBEROS} passwords in current versions of slapd(8)? | |
Beginning with OpenLDAP 2.1.23, the --enable-kpasswd configuration option has been removed. If you've been using this so that you can have userPassword attributes that look like {KERBEROS}principal@MY.KERBEROS.REALM, the the alterative is to use the --enable-spasswd configuration option and saslauthd and the {SASL} password scheme. I tried to do this and ran into a number of minor issues, which I will try to document here. The main symptom was that simple binds returned a "Invalid credentials (49)" message. Assuming you've already built Cyrus SASL you should have saslauthd. It may live in /usr/[local]/sbin/saslauthd, depending on your local environment. You need to be sure that the socket path (/usr/state/saslauthd/ was the default in my installation, but may be different for you) exists. The user that slapd runs as needs to have read/write access to this path. Start saslauthd like: /usr/local/sbin/saslauthd -a kerberos5There are other options, including credential caching options (see the man page) that you may want to use. You can test your saslauthd using the testsaslauthd program. This can be built by going to the saslauthd/ directory in the Cyrus SASL source distribution and running "make testsaslauthd". Run it like: testsaslauthd -u username -p passwordYou may also need to provide the -r realm option if you're not using your default realm. If you get a response like: size read failedAnd your syslog has messages like: saslauthd[30397]: auth_krb5: krb5_get_init_creds_password saslauthd[30397]: do_auth: auth failure: [user=username] [realm=MY.KERBEROS.REALM] [mech=kerberos5] [reason=saslauthd internal error]Then you may need a host service principal in your /etc/krb5.keytab. E.g. host/my.server.fqdn@MY.KERBEROS.REALM). In my case I only had the ldap service principal. Use ktutil to install this (back up your keytab file first). Otherwise you should get a response like: 0: OK "Success."If you get this far, but are still getting invalid credential messages from slapd, be sure you have a /usr/[local]/lib/sasl2/slapd.conf file. At minimum, this should contain: pwcheck_method: saslauthdIf you're not using the default saslauthd socket path, it may also need something a line like: saslauthd_path: /var/state/saslauthd/muxSee also the doc/options.html document that comes with Cyrus SASL. At this point, I could do simple binds where I previously had a {KERBEROS} userPassword by changing that to {SASL}. Hope this helps -- please use this info at your own risk; I do not warrant that it will work for you. ALSO NOTE THAT ALL OF THIS IS IN GENERAL DISCOURAGED AND SHOULD BE USED ONLY WHEN THE CLIENT DOES NOT SUPPORT A MORE SECURE AUTHENTICATION CAPABILITY, AND YOUR'RE STUCK DOING SIMPLE BINDS, AND WANT TO BE ABLE TO USE KERBEROS AUTHENTICATION OF CREDENTIALS. See the openldap-software list archives for much discussion of this. Finally I would *strongly* suggest that you configure your ldap server to allow simple binds only for SSL/TLS protected connections. | |
[Append to This Answer] |
Previous: | New Item |
Next: | Getting support for OpenLDAP integration |
|