[Date Prev][Date Next] [Chronological] [Thread] [Top]

Newbie gets reamed by openldap, kerberos, and sasl... please help.

To: openldap-software@OpenLDAP.org
Subject: Newbie gets reamed by openldap, kerberos, and sasl... please help.
From: Hua Ying Ling <hyling-f1@nc.rr.com>
Date: Thu, 21 Aug 2003 15:54:13 -0400

So it seemed like a simple task... use openldap without anonymous bind and verify the username and password sent in the clear to slapd using kerberos5. Before you jump on us we are adding SSL after we get it working). We have RFM. FMini-How-To, etc.,and spent 3 weeks on this problem with no luck. We have attempted this on Solaris 8 and MacOS X 10.2 with the same result.

So what we used KERBEROS V - on solaris we built MIT latest and were able to kinit on MacOS X took the shipping version and was able to kinit and also use the loginwindow with kerberos enabled.

SASL 2.1.15 ./configure --without-pam --with-saslauthd --without-pwcheck --disable-alwaystrue --disable-checkapop --disable-cram --disable-digest --disable-otp --without-opie --disable-srp --disable-krb4 --enable-gssapi --enable-plain --disable-anon --enable-login --disable-ntlm --without-ldap --without-mysql

/usr/local/sbin/saslauthd -a kerberos5 -n0

testsaslauthd works for ./testsaslauthd -u xxxx -p xxx
also works with a realm = to our kerberos realm and with -s ldap

/etc/krb5.srvtab contains both a host entry and a ldap service entry

Also note that both static and dynamic libs are built and that we put them in /usr/ocal/lib/sasl2 with a link to them as /usr/lib/sasl2 and /usr/lib/sasl


OPENLDAP 2.1.22

./configure --with-cyrus-sasl --without-kerberos --disable-kpasswd --disable-lmpasswd --enable-spasswd --disable-bdb --enable-ldbm --disable-passwd --disable-sql

There are two slapd.conf files

/usr/local/lib/sasl2/slapd.conf
which contains 1 line
pwcheck_method: saslauthd

Of course there is /usr/local/etc/openldap/slapd.conf (edited to protect the guilty):

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 ku rt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/corba.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/openldap.schema include /usr/local/etc/openldap/schema/krb5-kdc.schema

schemacheck    on

# Define global ACLs to disable default read access.


# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral     ldap://root.openldap.org
pidfile               /usr/local/var/slapd.pid
argsfile      /usr/local/var/slapd.args

#######################################################################
# ldbm database definitions
#######################################################################

sasl-realm             XXX.NCSU.EDU
sasl-host              xxx..ncsu.edu
sasl-secprops          none

#disallow       bind_anon

access to * by * read
access to * by * write

# Include the access lists
# include                 /local/ldap/etc/slapd.access

database      ldbm
suffix                "dc=ncsu,dc=edu"
rootdn                "cn=Manager,dc=ncsu,dc=edu"

# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.

rootpw                xxx

# lastmod         on

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.

directory    /usr/local/var/openldap-data

# Indexes
========== end slapd.conf

AND in the DATABASE a header and single user loaded as:

/usr/local/bin/ldapadd -x -D "cn=Manager,dc=ncsu,dc=edu" -W -f header.ldif

dn: dc=ncsu,dc=edu
objectclass: dcObject
objectclass: organization
dc: ncsu
o: NCSU
description: North Carolina State University

# Organizational Role for Directory Manager
dn: cn=Manager,dc=ncsu,dc=edu
objectClass: organizationalRole
cn: Manager
description: Directory Manager

AND USER: /usr/local/bin/ldapadd -x -D "cn=Manager,dc=ncsu,dc=edu" -W -f example3.ldif

dn: ou=people,dc=ncsu,dc=edu
objectclass: organizationalUnit
ou: people
description: Users at NCSU

dn: uid=bs,ou=people,dc=ncsu,dc=edu
objectClass: inetOrgPerson
objectClass: posixAccount
cn: krb5PrincipalName: bs@XXX.NCSU.EDU
cn: Bill Smith
givenName: Bill
sn: smith
mail: bs@unity.ncsu.edu
uid: bs
uidNumber: 6666
gidNumber: 666
homeDirectory: /users/b/bs
loginShell: /bin/tcsh
userPassword: {SASL}bs@EOS.NCSU.EDU

===== end ldif files

So two things we can do:
a)  when we allow anonymous bind
/usr/local/bin/ldapsearch -x -b 'dc=ncsu,dc=edu' '(objectclass=*)' works

b) If we disallow bind_anon and /usr/local/bin/ldapsearch -I -b 'dc=ncsu,dc=edu' '(objectclass=*)' we get prompted for our kerberos userid (GSSAPI from sasl libs) and password and get ldap service tickets and are able to get the same results as with anonymous bind allowed ie it works.

Great but we have to allow a client (the ldap V3 plug-in in MacOS X directory Services) which can not use the GSSAPI or any SASL bind mechanism. In other words we need to do a simple bind with a password checked against. kerberos V. Various documentation leads us to believe we need saslauthd for this but we can never seem to make openldap use saslauthd.

Please help!

Follow-Ups:
- Re: Newbie gets reamed by openldap, kerberos, and sasl... please help.
  - From: Dieter Kluenter <dieter@dkluenter.de>
- RE: Newbie gets reamed by openldap, kerberos, and sasl... please help.
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: Bcc: ?
Next by Date: Virtual users in sendmail (and vacation/.forward support?)
Index(es):
- Chronological
- Thread