I'm looking how to add the GSSAPI support into my OpenLDAP ?
Current setup
MIT Kerberos V + OpenLDAP
Kerberos bind to openldap
Able to issue kerberos tickets to my users (with kinit exampluser)
Able to ldapsearch -x uid=exampluser
Openldap side
server% ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
Client Side
client% ldapsearch uid=exampleuser
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: SASL(-4): no mechanism available: Couldn't find mech GSSAPI
Client ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=example,dc=com
URI ldap://ldap.example.com
SASL_MECH GSSAPI
Obviously, the error is clear enough to explain that my ldap request didn't find the mechanism to auth.
I've been through many tutorial, explanations, but still can't find anywhere how to "add" that mechanism.
Thanks What is SASL/GSSAPI? for all the awesome explanations.
Updated for user 473183469
I've generated a keytab just for the ldap, that I've copied in /etc/ldap/ldap.keytab, and edited the /etc/default/slapd according to https://help.ubuntu.com/community/SingleSignOn asking to uncomment and give the path to export KRB5_KTNAME=/etc/ldap/ldap.keytab
That ldap keytab was generated like that
kadmin: addprinc -randkey ldap/ldap.example.com@EXAMPLE.COM
kadmin: ktadd -k ~/ldap.keytab ldap/ldap.example.com@EXAMPLE.COM
I also have a /etc/krb5.keytab that was created at the beginning of the installation
kadmin.local: listprincs
admin@EXAMPLE.COM
K/M@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kdc.example.com@EXAMPLE.COM
user1@example.com (also in the ldap, can issue a ticket and everything)
user2@example.com (same for him)
ldap/ldap.example.com@EXAMPLE.COM
The ktutil result
# ktutil
ktutil: read_kt /etc/ldap.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 ldap/ldap.example.com@EXAMPLE.COM
2 2 ldap/ldap.example.com@EXAMPLE.COM
3 2 ldap/ldap.example.com@EXAMPLE.COM
4 2 ldap/ldap.example.com@EXAMPLE.COM
ktutil: read_kt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 ldap/ldap.example.com@EXAMPLE.COM
2 2 ldap/ldap.example.com@EXAMPLE.COM
3 2 ldap/ldap.example.com@EXAMPLE.COM
4 2 ldap/ldap.example.com@EXAMPLE.COM
5 2 kadmin/kdc.example.com@EXAMPLE.COM
6 2 kadmin/kdc.example.com@EXAMPLE.COM
7 2 kadmin/kdc.example.com@EXAMPLE.COM
8 2 kadmin/kdc.example.com@EXAMPLE.COM