9

I'm looking how to add the GSSAPI support into my OpenLDAP ?

Current setup

MIT Kerberos V + OpenLDAP
Kerberos bind to openldap
Able to issue kerberos tickets to my users (with kinit exampluser)
Able to ldapsearch -x uid=exampluser

Openldap side

server% ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms

    ldap_start_tls: Protocol error (2)
    additional info: unsupported extended operation
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

Client Side

client% ldapsearch uid=exampleuser

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
    additional info: SASL(-4): no mechanism available: Couldn't find mech GSSAPI

Client ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE        dc=example,dc=com
URI         ldap://ldap.example.com
SASL_MECH   GSSAPI

Obviously, the error is clear enough to explain that my ldap request didn't find the mechanism to auth.

I've been through many tutorial, explanations, but still can't find anywhere how to "add" that mechanism.

Thanks What is SASL/GSSAPI? for all the awesome explanations.

Updated for user 473183469

I've generated a keytab just for the ldap, that I've copied in /etc/ldap/ldap.keytab, and edited the /etc/default/slapd according to https://help.ubuntu.com/community/SingleSignOn asking to uncomment and give the path to export KRB5_KTNAME=/etc/ldap/ldap.keytab

That ldap keytab was generated like that

kadmin: addprinc -randkey ldap/ldap.example.com@EXAMPLE.COM
kadmin: ktadd -k ~/ldap.keytab ldap/ldap.example.com@EXAMPLE.COM

I also have a /etc/krb5.keytab that was created at the beginning of the installation

kadmin.local:  listprincs
admin@EXAMPLE.COM
K/M@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kdc.example.com@EXAMPLE.COM
user1@example.com (also in the ldap, can issue a ticket and everything)
user2@example.com (same for him)
ldap/ldap.example.com@EXAMPLE.COM

The ktutil result

# ktutil
ktutil:  read_kt /etc/ldap.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2            ldap/ldap.example.com@EXAMPLE.COM
   2    2            ldap/ldap.example.com@EXAMPLE.COM
   3    2            ldap/ldap.example.com@EXAMPLE.COM
   4    2            ldap/ldap.example.com@EXAMPLE.COM
ktutil:  read_kt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2            ldap/ldap.example.com@EXAMPLE.COM
   2    2            ldap/ldap.example.com@EXAMPLE.COM
   3    2            ldap/ldap.example.com@EXAMPLE.COM
   4    2            ldap/ldap.example.com@EXAMPLE.COM
   5    2           kadmin/kdc.example.com@EXAMPLE.COM
   6    2           kadmin/kdc.example.com@EXAMPLE.COM
   7    2           kadmin/kdc.example.com@EXAMPLE.COM
   8    2           kadmin/kdc.example.com@EXAMPLE.COM
Tolsadus
  • 1,123
  • 11
  • 22

3 Answers3

2

SOLVED

I was missing SASL_MECH GSSAPI and SASL_REAM in /etc/ldap/ldap.conf

[Tue Feb 28 13:48 root:ldap] [~] # cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=example,dc=com
URI ldap://ldap.example.com    
SASL_MECH GSSAPI
SASL_REALM EXAMPLE.COM

Now I can just ldapsearch uid=user directly with a kerberos ticket and get the

SASL/GSSAPI authentication started
SASL username: user@EXAMPLE.COM
SASL SSF: 112
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=user
# requesting: ALL
#

Of course, if I don't have a kerberos ticket (which makes sense)

client% ldapsearch uid=gleger
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
    additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (No credentials cache file found)
Tolsadus
  • 1,123
  • 11
  • 22
  • While I'm glad you got your system working, I doubt that the answer you've provided is correct. As `ldap.conf` applies strictly to clients it should not alter the `supportedSASLMechanisms` provided by a server. From `LDAP.CONF(5)`: `The ldap.conf configuration file is used to set system-wide defaults to be applied when running ldap clients.` – 84104 Feb 28 '17 at 17:29
  • True. I will give a look tomorrow to that slapd.conf file actually, might be actually the "good" answer. – Tolsadus Feb 28 '17 at 17:33
1

You'll want to change your sasl configuration for slapd, usually /etc/sasl2/slapd.conf, to include gssapi.

For example:

mech_list: external gssapi plain
pwcheck_method: saslauthd

You'll need to restart slapd afterwards.

84104
  • 12,698
  • 6
  • 43
  • 75
  • I use cn=config for my ldap, not the slapd.conf file. Whoever, I've got a /etc/ldap/sasl2 folder that is empty ? – Tolsadus Feb 28 '17 at 07:42
  • Despite the name is the same, there is a different `slapd.conf`just for SASL. It is another thing in respect to your `cn=config` slapd.d. Please give a try to what super-competent user 84104 told. – 473183469 Feb 28 '17 at 11:29
0

Aren't you simply missing the /etc/krb5.keytab file having as SPN ldap/fdqn?

I don't think you need to set any of the GSSAPI-related SASL switch on OpenLDAP as the defaults are fine and forcing e.g. the realm is more trouble than other.

473183469
  • 1,350
  • 1
  • 12
  • 23