[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Kerberos/GSSAPI issues
- To: openldap-technical@openldap.org
- Subject: Kerberos/GSSAPI issues
- From: Brian Candler <B.Candler@pobox.com>
- Date: Tue, 28 Dec 2010 09:26:56 +0000
- Content-disposition: inline
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :subject:message-id:mime-version:content-type; s=sasl; bh=O8C0TE UYCNcT6auOalgZSg+qsx0=; b=ET0kuc3zxHMRGU/2b9XNlHNSEy6VOqOZXWpCI7 YDcp7Gayu2jk8ErgnT0MDHDlOX4Z+roXs00FbLyEJrjFeB2m4tWTQwd/X0FSmk8G jTIaGfUe0sk5x+G4knrPhjVeiMDVAKf8PkkleDT+mCbkJOPss6fD6uR+uwo0JQqN q2DiI=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to :subject:message-id:mime-version:content-type; q=dns; s=sasl; b= DUs3jmTiOfrqTlMUbFDyw2y4f0v9tSBsuk9+IWQwZhfuCSSInLjPNZoANPsjv/Ua s3fvlAvRM2JeITG76GNl9EUdqaQ4hVAS24MBEDR3EdwpU7ZV0ro8O7k1tYnQoofL Jo6Zz2dFY0jh4hzk/O7WBHwJz845TZasHAzbMUiwozo=
- User-agent: Mutt/1.5.20 (2009-06-14)
Hello,
I'm setting up an openldap server for Kerberos (GSSAPI) authentication only.
I'm using slapd-2.4.21 from Ubuntu 10.04.1.
It's basically working, and I had to do very little other than change
export KRB5_KTNAME in /etc/default/slapd to point to the service keytab.
However, there are a couple of strange things which I wonder if someone
could help me with.
(1) According to the documentation at
http://www.openldap.org/doc/admin24/sasl.html#GSSAPI
then the authentication DN should be
uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth
However, running slapd in debug mode I see the cn=<realm> is missing. Here
I have a ticket for inst/admin@WS.NSRC.ORG and run slapd -d 255:
...
do_bind: dn () SASL mech GSSAPI
==> sasl_bind: dn="" mech=<continuing> datalen=32
SASL Canonicalize [conn=1000]: authcid="inst/admin"
slap_sasl_getdn: conn 1000 id=inst/admin [len=10]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=inst/admin,cn=GSSAPI,cn=auth)=0
slap_sasl_getdn: u:id converted to uid=inst/admin,cn=GSSAPI,cn=auth
>>> dnNormalize: <uid=inst/admin,cn=GSSAPI,cn=auth>
=> ldap_bv2dn(uid=inst/admin,cn=GSSAPI,cn=auth,0)
<= ldap_bv2dn(uid=inst/admin,cn=GSSAPI,cn=auth)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=inst/admin,cn=gssapi,cn=auth)=0
<<< dnNormalize: <uid=inst/admin,cn=gssapi,cn=auth>
==>slap_sasl2dn: converting SASL name uid=inst/admin,cn=gssapi,cn=auth to a DN
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=1000]: slapAuthcDN="uid=inst/admin,cn=gssapi,cn=auth"
SASL proxy authorize [conn=1000]: authcid="inst/admin" authzid="inst/admin"
SASL Authorize [conn=1000]: proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=-1
do_bind: SASL/GSSAPI bind: dn="uid=inst/admin,cn=gssapi,cn=auth" sasl_ssf=56
...
==> limits_get: conn=1000 op=3 self="uid=inst/admin,cn=gssapi,cn=auth" this="dc=ws,dc=nsrc,dc=org"
...
Now this works, if I change my ACL to
olcAccess: {0}to * by dn.regex="^uid=([^,]+)/admin,cn=gssapi,cn=auth$" manage by users read
However, I wonder why the realm is missing, and whether it can be included
(because in future, if I end up with a cross-realm setup, I'll want to see
the realm for authorization)
Is this a documentation error, or is there some configuration option which
needs setting to preserve the realm?
(2) I would like to be able to do ldapsearch without specifying -Y GSSAPI
explicitly. However if I omit it, the client picks DIGEST-MD5 instead
(which isn't much use, since I have no passwords in the database)
# ldapsearch -b "ds=ws,dc=nsrc,dc=org"
SASL/DIGEST-MD5 authentication started
Please enter your password:
Adding -d 255 I see that the server is offering these:
...
ldap_sasl_interactive_bind_s: server supports: NTLM DIGEST-MD5 GSSAPI CRAM-MD5
ldap_int_sasl_bind: NTLM DIGEST-MD5 GSSAPI CRAM-MD5
...
How can I configure the server not to offer the other authentication
mechanisms, or else to put GSSAPI at the front of the list?
Thanks,
Brian.