2

I've run into some problems getting OpenLDAP on FreeBSD (8.2-STABLE) to authenticate using Kerberos tickets. I hope I've just had a brain glitch, so please feel free to let me know that I've missed something obvious.

Here's where things are:

  • Kerberos works just fine.

    I can acquire credentials using kinit, and I can use these credentials for authentication (for example, for ssh or telnet login).

  • OpenLDAP is installed and works with basic authentication.

  • slapd is clearly linked against the SASL libraries; ldd .../slapd reports:

    libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x800d07000)

  • There exists /usr/local/lib/sasl2/slapd.conf with the following contents:

    mech_list: GSSAPI

  • slapd reports that is supports GSSAPI authentication:

    $ ldapsearch -x -b '' -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI

  • There exists /etc/krb5.keytab with keys for host/<myhostname> and ldap/<myhostname>.

  • The sample SASL server/client appear to work fine with gssapi authentication:

    # server -p 2222 -s ldap -m gssapi

    Followed by:

    # client -p 2222 -s ldap -m gssapi

    Ultimately results in:

    successful authentication

And yet...

I have been unable to get slapd to accept GSSAPI authentication. Simply trying to run ldapwhoami, with a valid Kerberos ticket, results in the following error:

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
    additional info: SASL(-1): generic failure: GSSAPI Error:  No credentials were supplied, or the credentials were unavailable or inaccessible. (unknown mech-code 0 for mech unknown)

The same error is logged by slapd. I've sort of hit a wall here; slapd even with various debugging turned on isn't providing me with anything useful. Help?

Update: Just for kicks I decided to try setting up OpenLDAP inside a Linux (CentOS 5) jail to see if the behavior was any different. After rebuilding the OpenLDAP packages (FreeBSD's Linux support does not include the epoll() system call), it was giving me error messages that seemed a little more useful (regarding missing Kerberos principals). It at least seemed to be performing the GSSAPI negotiation correctly. So it looks like this is a FreeBSD issue...maybe? Hoping for input from somebody out there.

larsks
  • 41,276
  • 13
  • 117
  • 170

2 Answers2

1

And...mysteriously it's started working. For the record, here is what seems to be a repeatable process:

  • Install security/cyrus-sasl2.
  • Install net/openldap24-server. Make sure to enable SASL support.
  • Install net/openlda24-client, also with SASL support.
  • Initialize Kerberos per the handbook. Make sure to add the appropriate ldap/... principal.

  • Make sure slapd will be able to read a keytab file. The simplest mechanism is:

    chgrp ldap /etc/krb5.keytab
chmod g+r /etc/krb5.keytab
  • Configure slapd for SASL. You will probably want to set sasl-host, sasl-realm, and sasl-regexp.
  • Configure appropriate values for BASE and URI in /usr/local/etc/openldap/ldap.conf.

Test by acquiring a Kerberos ticket and then running ldapwhoami -Y GSSAPI.

larsks
  • 41,276
  • 13
  • 117
  • 170
0

I had the exact same issue and in the end found out it was because I had set sasl-host in slapd.conf to be the kerberos server hostname.

When I changed sasl-host to be ldap hostname (e.g. sasl-host ldap.example.com) it worked correctly.

Sina S
  • 1