Hello,
I'm setting up an openldap server for Kerberos (GSSAPI) authentication only. I'm using slapd-2.4.21 from Ubuntu 10.04.1.
It's basically working, and I had to do very little other than change export KRB5_KTNAME in /etc/default/slapd to point to the service keytab.
However, there are a couple of strange things which I wonder if someone could help me with.
(1) According to the documentation at http://www.openldap.org/doc/admin24/sasl.html#GSSAPI then the authentication DN should be uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth
However, running slapd in debug mode I see the cn=<realm> is missing. Here I have a ticket for inst/admin@WS.NSRC.ORG and run slapd -d 255:
... do_bind: dn () SASL mech GSSAPI ==> sasl_bind: dn="" mech=<continuing> datalen=32 SASL Canonicalize [conn=1000]: authcid="inst/admin" slap_sasl_getdn: conn 1000 id=inst/admin [len=10] => ldap_dn2bv(16) <= ldap_dn2bv(uid=inst/admin,cn=GSSAPI,cn=auth)=0 slap_sasl_getdn: u:id converted to uid=inst/admin,cn=GSSAPI,cn=auth
dnNormalize: <uid=inst/admin,cn=GSSAPI,cn=auth>
=> ldap_bv2dn(uid=inst/admin,cn=GSSAPI,cn=auth,0) <= ldap_bv2dn(uid=inst/admin,cn=GSSAPI,cn=auth)=0 => ldap_dn2bv(272) <= ldap_dn2bv(uid=inst/admin,cn=gssapi,cn=auth)=0 <<< dnNormalize: <uid=inst/admin,cn=gssapi,cn=auth> ==>slap_sasl2dn: converting SASL name uid=inst/admin,cn=gssapi,cn=auth to a DN <==slap_sasl2dn: Converted SASL name to <nothing> SASL Canonicalize [conn=1000]: slapAuthcDN="uid=inst/admin,cn=gssapi,cn=auth" SASL proxy authorize [conn=1000]: authcid="inst/admin" authzid="inst/admin" SASL Authorize [conn=1000]: proxy authorization allowed authzDN="" send_ldap_sasl: err=0 len=-1 do_bind: SASL/GSSAPI bind: dn="uid=inst/admin,cn=gssapi,cn=auth" sasl_ssf=56 ... ==> limits_get: conn=1000 op=3 self="uid=inst/admin,cn=gssapi,cn=auth" this="dc=ws,dc=nsrc,dc=org" ...
Now this works, if I change my ACL to
olcAccess: {0}to * by dn.regex="^uid=([^,]+)/admin,cn=gssapi,cn=auth$" manage by users read
However, I wonder why the realm is missing, and whether it can be included (because in future, if I end up with a cross-realm setup, I'll want to see the realm for authorization)
Is this a documentation error, or is there some configuration option which needs setting to preserve the realm?
(2) I would like to be able to do ldapsearch without specifying -Y GSSAPI explicitly. However if I omit it, the client picks DIGEST-MD5 instead (which isn't much use, since I have no passwords in the database)
# ldapsearch -b "ds=ws,dc=nsrc,dc=org" SASL/DIGEST-MD5 authentication started Please enter your password:
Adding -d 255 I see that the server is offering these:
... ldap_sasl_interactive_bind_s: server supports: NTLM DIGEST-MD5 GSSAPI CRAM-MD5 ldap_int_sasl_bind: NTLM DIGEST-MD5 GSSAPI CRAM-MD5 ...
How can I configure the server not to offer the other authentication mechanisms, or else to put GSSAPI at the front of the list?
Thanks,
Brian.