Hello all,
I'm trying to set up openldap to authenticate using my kerberos service, but I'm not having success so far. I've already set up MIT Kerberos V and I can successfully get tickets from it:
root@filesystem:~# kinit diego.lima Password for diego.lima@USERS: root@filesystem:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: diego.lima@USERS
Valid starting Expires Service principal 06/23/10 09:44:49 06/23/10 19:44:49 krbtgt/USERS@USERS renew until 06/24/10 09:44:46
I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:
root@filesystem:~# testsaslauthd -u diego.lima@USERS -p 123456 0: OK "Success."
The saslauthd output looks like this:
saslauthd[28383] :rel_accept_lock : released accept lock saslauthd[28385] :get_accept_lock : acquired accept lock saslauthd[28383] :do_auth : auth success: [user=diego.lima@USERS] [service=imap] [realm=] [mech=kerberos5] saslauthd[28383] :do_request : response: OK
I've set up my user account on LDAP like this:
dn: krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br krbPrincipalName: diego.lima@USERS krbPrincipalKey:: (big key) krbLastPwdChange: 20100622215607Z objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux objectClass: posixAccount structuralObjectClass: krbPrincipal entryUUID: b4d16a7a-1294-102f-8f9b-2759be64cd18 creatorsName: cn=admin,dc=domain,dc=com,dc=br createTimestamp: 20100622215607Z uid: diego.lima uidNumber: 10001 gidNumber: 10001 cn: diego.lima homeDirectory: /home/diego.lima loginShell: /bin/bash userPassword:: e1NBU0x9ZGllZ28ubGltYUBVU0VSUw== krbLastSuccessfulAuth: 20100623124649Z krbLoginFailedCount: 0 krbExtraData:: (data) krbExtraData:: (data) entryCSN: 20100623124649.354631Z#000000#000#000000 modifiersName: cn=admin,dc=domain,dc=com,dc=br modifyTimestamp: 20100623124649Z
The userPassword value translates to {SASL}diego.lima@USERS
When I try to do an authenticated search on LDAP I see the following:
# ldapsearch -D krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b dc=domain,dc=com,dc=br '(objectClass=*)' -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
And on the slapd output:
daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(7): daemon: epoll: listen=7 busy daemon: epoll: listen=8 active_threads=0 tvp=zero
slap_listener(ldap:///)
daemon: listen=7, new connection on 18 daemon: added 18r (active) listener=(nil) conn=35 fd=18 ACCEPT from IP=127.0.1.1:51089 (IP=0.0.0.0:389) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 18r daemon: read active on 18 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_get(18) connection_get(18): got connid=35 connection_read(18): checking for input on id=35 ber_get_next ldap_read: want=8, got=8 0000: 30 53 02 01 01 60 4e 02 0S...`N. ldap_read: want=77, got=77 0000: 01 03 04 41 6b 72 62 50 72 69 6e 63 69 70 61 6c ...AkrbPrincipal 0010: 4e 61 6d 65 3d 64 69 65 67 6f 2e 6c 69 6d 61 40 Name=diego.lima@ 0020: 55 53 45 52 53 2c 63 6e 3d 55 53 45 52 53 2c 64 USERS,cn=USERS,d 0030: 63 3d 34 6c 69 6e 75 78 2c 64 63 3d 63 6f 6d 2c c=domain,dc=com, 0040: 64 63 3d 62 72 80 06 31 32 33 34 35 36 dc=br..123456 ber_get_next: tag 0x30 len 83 contents: ber_dump: buf=0x1cc73d0 ptr=0x1cc73d0 end=0x1cc7423 len=83 0000: 02 01 01 60 4e 02 01 03 04 41 6b 72 62 50 72 69 ...`N....AkrbPri 0010: 6e 63 69 70 61 6c 4e 61 6d 65 3d 64 69 65 67 6f ncipalName=diego 0020: 2e 6c 69 6d 61 40 55 53 45 52 53 2c 63 6e 3d 55 .lima@USERS,cn=U 0030: 53 45 52 53 2c 64 63 3d 34 6c 69 6e 75 78 2c 64 SERS,dc=domain,d 0040: 63 3d 63 6f 6d 2c 64 63 3d 62 72 80 06 31 32 33 c=com,dc=br..123 0050: 34 35 36 456 op tag 0x60, time 1277298275 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=35 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x1cc73d0 ptr=0x1cc73d3 end=0x1cc7423 len=80 0000: 60 4e 02 01 03 04 41 6b 72 62 50 72 69 6e 63 69 `N....AkrbPrinci 0010: 70 61 6c 4e 61 6d 65 3d 64 69 65 67 6f 2e 6c 69 palName=diego.li 0020: 6d 61 40 55 53 45 52 53 2c 63 6e 3d 55 53 45 52 ma@USERS,cn=USER 0030: 53 2c 64 63 3d 34 6c 69 6e 75 78 2c 64 63 3d 63 S,dc=domain,dc=c 0040: 6f 6d 2c 64 63 3d 62 72 80 06 31 32 33 34 35 36 om,dc=br..123456 ber_scanf fmt (m}) ber: ber_dump: buf=0x1cc73d0 ptr=0x1cc741b end=0x1cc7423 len=8 0000: 00 06 31 32 33 34 35 36 ..123456
dnPrettyNormal: <krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br>
=> ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br,0) <= ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0 => ldap_dn2bv(272) <= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0 => ldap_dn2bv(272) <= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br)=0 <<< dnPrettyNormal: <krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br>, <krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br> conn=35 op=0 BIND dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br" method=128 do_bind: version=3 dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br" method=128 ==> hdb_bind: dn: krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br bdb_dn2entry("krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br") => access_allowed: auth access to "krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: result not in cache (userPassword) => acl_mask: access to entry "krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=admin,dc=domain,dc=com,dc=br <= check a_dn_pat: anonymous <= acl_mask: [2] applying auth(=xd) (stop) <= acl_mask: [2] mask: auth(=xd) => slap_access_allowed: auth access granted by auth(=xd) => access_allowed: auth access granted by auth(=xd) SASL Canonicalize [conn=35]: authcid="diego.lima@USERS" SASL Canonicalize [conn=35]: authcid="diego.lima@USERS" send_ldap_result: conn=35 op=0 p=3 send_ldap_result: err=49 matched="" text="" send_ldap_response: msgid=1 tag=97 err=49 ber_flush2: 14 bytes to sd 18 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... conn=35 op=0 RESULT tag=97 err=49 text= daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 18r daemon: read active on 18 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_get(18) connection_get(18): got connid=35 connection_read(18): checking for input on id=35 ber_get_next ldap_read: want=8, got=0
ber_get_next on fd 18 failed errno=0 (Success) connection_read(18): input error=-2 id=35, closing. connection_closing: readying conn=35 sd=18 for close connection_close: conn=35 sd=18 daemon: removing 18 conn=35 fd=18 closed (connection lost) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero
I see nothing on the saslauthd output when I try to log in. Did I miss anything? Please note that I'm trying to use the same kerberos principal as my user, and this is intended. I did try adding another user (account and posixAccount objectClasses) with a separate kerberos principal and that did not work either.
Lastly, here is my slapd.conf:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/kerberos.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap moduleload back_hdb
sizelimit 500
tool-threads 1
backend hdb
database hdb suffix "dc=domain,dc=com,dc=br" rootdn "cn=admin,dc=domain,dc=com,dc=br" directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on checkpoint 512 30
access to attrs=userPassword,shadowLastChange,krbPrincipalKey,krbLastPwdChange by dn="cn=admin,dc=domain,dc=com,dc=br" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=domain,dc=com,dc=br" write by * read
Thanks for the help!