Openldap
在支持的SASLMechanisms中將GSSAPI添加到OpenLdap
我正在尋找如何將 GSSAPI 支持添加到我的 OpenLDAP 中?
目前設置
MIT Kerberos V + OpenLDAP Kerberos bind to openldap Able to issue kerberos tickets to my users (with kinit exampluser) Able to ldapsearch -x uid=exampluser
Openldap端
server% ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms ldap_start_tls: Protocol error (2) additional info: unsupported extended operation dn: supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN
客戶端
client% ldapsearch uid=exampleuser SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available: Couldn't find mech GSSAPI
客戶端 ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=example,dc=com URI ldap://ldap.example.com SASL_MECH GSSAPI
顯然,錯誤很清楚,可以解釋我的 ldap 請求沒有找到驗證機制。
我經歷了許多教程和解釋,但仍然無法找到如何“添加”該機制的任何地方。
謝謝什麼是 SASL/GSSAPI?對於所有令人敬畏的解釋。
為使用者 473183469 更新
我已經為 ldap 生成了一個密鑰表,我在**/etc/ldap/ldap.keytab中複製了它,並根據https://help.ubuntu.com/community/SingleSignOn編輯了/etc/default/slapd要求取消註釋並給出導出 KRB5_KTNAME=/etc/ldap/ldap.keytab的路徑**
那個 ldap keytab 是這樣生成的
kadmin: addprinc -randkey ldap/ldap.example.com@EXAMPLE.COM kadmin: ktadd -k ~/ldap.keytab ldap/ldap.example.com@EXAMPLE.COM
我還有一個在安裝開始時創建的 /etc/krb5.keytab
kadmin.local: listprincs admin@EXAMPLE.COM K/M@EXAMPLE.COM krbtgt/EXAMPLE.COM@EXAMPLE.COM kadmin/admin@EXAMPLE.COM kadmin/changepw@EXAMPLE.COM kadmin/history@EXAMPLE.COM kadmin/kdc.example.com@EXAMPLE.COM user1@example.com (also in the ldap, can issue a ticket and everything) user2@example.com (same for him) ldap/ldap.example.com@EXAMPLE.COM
ktutil 結果
# ktutil ktutil: read_kt /etc/ldap.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 ldap/ldap.example.com@EXAMPLE.COM 2 2 ldap/ldap.example.com@EXAMPLE.COM 3 2 ldap/ldap.example.com@EXAMPLE.COM 4 2 ldap/ldap.example.com@EXAMPLE.COM ktutil: read_kt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 ldap/ldap.example.com@EXAMPLE.COM 2 2 ldap/ldap.example.com@EXAMPLE.COM 3 2 ldap/ldap.example.com@EXAMPLE.COM 4 2 ldap/ldap.example.com@EXAMPLE.COM 5 2 kadmin/kdc.example.com@EXAMPLE.COM 6 2 kadmin/kdc.example.com@EXAMPLE.COM 7 2 kadmin/kdc.example.com@EXAMPLE.COM 8 2 kadmin/kdc.example.com@EXAMPLE.COM
解決了
我失踪
SASL_MECH GSSAPI
了SASL_REAM``/etc/ldap/ldap.conf
[Tue Feb 28 13:48 root:ldap] [~] # cat /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=example,dc=com URI ldap://ldap.example.com SASL_MECH GSSAPI SASL_REALM EXAMPLE.COM
現在我可以直接使用 kerberos 票證 ldapsearch uid=user 並獲取
SASL/GSSAPI authentication started SASL username: user@EXAMPLE.COM SASL SSF: 112 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: uid=user # requesting: ALL #
當然,如果我沒有 kerberos 票(這是有道理的)
client% ldapsearch uid=gleger SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found)