Openldap

在支持的SASLMechanisms中將GSSAPI添加到OpenLdap

  • August 1, 2017

我正在尋找如何將 GSSAPI 支持添加到我的 OpenLDAP 中

目前設置

MIT Kerberos V + OpenLDAP
Kerberos bind to openldap
Able to issue kerberos tickets to my users (with kinit exampluser)
Able to ldapsearch -x uid=exampluser

Openldap端

server% ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms

   ldap_start_tls: Protocol error (2)
   additional info: unsupported extended operation
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

客戶端

client% ldapsearch uid=exampleuser

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
   additional info: SASL(-4): no mechanism available: Couldn't find mech GSSAPI

客戶端 ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE        dc=example,dc=com
URI         ldap://ldap.example.com
SASL_MECH   GSSAPI

顯然,錯誤很清楚,可以解釋我的 ldap 請求沒有找到驗證機制。

我經歷了許多教程和解釋,但仍然無法找到如何“添加”該機制的任何地方。

謝謝什麼是 SASL/GSSAPI?對於所有令人敬畏的解釋。

為使用者 473183469 更新

我已經為 ldap 生成了一個密鑰表,我在**/etc/ldap/ldap.keytab中複製了它,並根據https://help.ubuntu.com/community/SingleSignOn編輯了/etc/default/slapd要求取消註釋並給出導出 KRB5_KTNAME=/etc/ldap/ldap.keytab的路徑**

那個 ldap keytab 是這樣生成的

kadmin: addprinc -randkey ldap/ldap.example.com@EXAMPLE.COM
kadmin: ktadd -k ~/ldap.keytab ldap/ldap.example.com@EXAMPLE.COM

我還有一個在安裝開始時創建的 /etc/krb5.keytab

kadmin.local:  listprincs
admin@EXAMPLE.COM
K/M@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kdc.example.com@EXAMPLE.COM
user1@example.com (also in the ldap, can issue a ticket and everything)
user2@example.com (same for him)
ldap/ldap.example.com@EXAMPLE.COM

ktutil 結果

# ktutil
ktutil:  read_kt /etc/ldap.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
  1    2            ldap/ldap.example.com@EXAMPLE.COM
  2    2            ldap/ldap.example.com@EXAMPLE.COM
  3    2            ldap/ldap.example.com@EXAMPLE.COM
  4    2            ldap/ldap.example.com@EXAMPLE.COM
ktutil:  read_kt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
  1    2            ldap/ldap.example.com@EXAMPLE.COM
  2    2            ldap/ldap.example.com@EXAMPLE.COM
  3    2            ldap/ldap.example.com@EXAMPLE.COM
  4    2            ldap/ldap.example.com@EXAMPLE.COM
  5    2           kadmin/kdc.example.com@EXAMPLE.COM
  6    2           kadmin/kdc.example.com@EXAMPLE.COM
  7    2           kadmin/kdc.example.com@EXAMPLE.COM
  8    2           kadmin/kdc.example.com@EXAMPLE.COM

解決了

我失踪SASL_MECH GSSAPISASL_REAM``/etc/ldap/ldap.conf

[Tue Feb 28 13:48 root:ldap] [~] # cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=example,dc=com
URI ldap://ldap.example.com    
SASL_MECH GSSAPI
SASL_REALM EXAMPLE.COM

現在我可以直接使用 kerberos 票證 ldapsearch uid=user 並獲取

SASL/GSSAPI authentication started
SASL username: user@EXAMPLE.COM
SASL SSF: 112
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=user
# requesting: ALL
#

當然,如果我沒有 kerberos 票(這是有道理的)

client% ldapsearch uid=gleger
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
   additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (No credentials cache file found)

引用自:https://serverfault.com/questions/834523