[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos



> To have slapd use saslauthd for authentication, you'll need to create the
> file /usr/lib/sasl2/slapd.conf, with these contents:
> 
> pwcheck_method: saslauthd
> mech_list: plain login
> 
> and optionally
> 
> keytab: /etc/krb5.keytab   (which is the standard location)

Check. As per a previous trial I created the keytab in a different
location; 
# cat /usr/lib/sasl2/slapd.conf
pwcheck_method: saslauthd
mech_list: plain login gssapi external
keytab: /etc/ldap/ldap.keytab

# ls -l /usr/lib/sasl2/slapd.conf 
-rw-r--r-- 1 root root 95 2010-09-09 10:03 /usr/lib/sasl2/slapd.conf

# ls -l /etc/ldap/ldap.keytab
-rw-r----- 1 root openldap 286 2010-09-08 16:03 /etc/ldap/ldap.keytab

> *If* you intend to perform a PLAIN sasl bind, you'll need this in your
> /etc/ldap/slapd.conf:
> 
> sasl-secprops none

Check.
Had some probs with SSL before so start with plain. Later I'm just going
to close that port in the firewall, for internal use it's secure enough.

> If you're planning on supporting non-sasl binds, but still wish to
> authenticate via saslauthd, your userPassword entries should look like:
> 
> userPassword: {SASL}username@realm
> 
> and you'll need to verify that your slapd was compiled with the
> --enable-spasswd option. See section 4.5 (Pass-Through authentication)
> of the OpenLDAP Administrators Guide.

This one I have no idea what that would do. My understanding is
obviously not deep enough.

> You could authenticate against a kerberos5 installation with saslauthd a
> couple of different ways:
> 
> 1. Authenticate saslauthd against PAM. Edit /etc/default/saslauthd and
> specify 'pam' as your authentication backend. You'll then need to configure
> a kerberos pam module to do that actual work.

In /etc/default/saslauthd:
MECHANISMS="pam"

Already configured like that.
Other logins authenticate fine against pam using my kerberos password
(like Cyrus IMAP, and Postfix's smtp authentication), so this part is
working fine.

> 2. Authenticate saslauthd against kerberos5 ('kerberos5' in
> /etc/default/saslauthd). I'm not sure if you need to have a valid ticket
> granting ticket, or if a proper /etc/krb5.conf is all you need.

I prefer to stick to pam as in that case it can fall back to my local
passwd file, where I have defined a password for root, so in case the
krb server (or the network) fails at least I can log in!

> >Current situation after all the hacking:
> >$ ldapwhoami -x -D 'uid=wouter,ou=people,dc=squirrel' -W -h 
> >acorn.squirrel
> >Enter LDAP Password:
> >ldap_bind: Invalid credentials (49)
> >when entering my Kerberos password; it accepts my credentials when I 
> >enter the LDAP stored password (a different password).
> 
> That requires pass-through authentication.

I see.
Well with the above instructions nothing seems to have changed.
I have restarted saslauthd and slapd after making the changes, and when
now accessing the ldap addressbook using Evolution, I still have to use
the ldap stored password, not the krb password.

Wouter.

> 
> >Then I just did:
> >=======================
> >wouter@acorn:~$ ldapsearch -LLL -s base -b '' '(objectClass=*)' +
> >SASL/GSSAPI authentication started
> >ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) 
> >error (80)
> >wouter@acorn:~$ klist
> >Ticket cache: FILE:/tmp/krb5cc_1000_5lYS4w
> >Default principal: wouter@SQUIRREL
> >
> >Valid starting     Expires            Service principal
> >09/08/10 22:42:07  09/09/10 08:42:07  krbtgt/SQUIRREL@SQUIRREL
> >        renew until 09/09/10 22:42:07
> >09/08/10 22:46:39  09/09/10 08:42:07  ldap/acorn.squirrel@SQUIRREL
> >        renew until 09/09/10 22:42:07
> >
> >
> >Kerberos 4 ticket cache: /tmp/tkt1000
> >klist: You have no tickets cached
> >=======================
> 
> Do you have ldap/acorn.squirrel@SQUIRREL in /etc/krb5.keytab, on the
> server? Is it readable by the slapd user?
>