Hi group,
I have been fighting the whole day already for something that I think is quite simple but I just can't get it to work: have slapd authenticate users against kerberos. Following many tutorials, trying many things, I give up on that and ask for your help.
System: Debian Lenny.
Situation: - workstation logins over the network authenticate against kerberos - credentials from LDAP - postfix has its alias database etc in LDAP, as are the groups and userIDs and everything - helps keeping uids the same on the workstations. Essential for NFS. - anything using pam will be authenticated against kerberos, including imap, postfix, etc.
Except LDAP. Then slapd authenticates by itself against the password stored there. And that's not what I want. There should be no passwords in LDAP any more, everything against kerberos. Then at least when a user changes their kerberos password, the same password is used everywhere. I just can't get this to work for some reason. I have followed many tutorials, so many that I forgot what I did, and it still doesn't work.
Slapd should use pam to authenticate, or directly talk to the kerberos server, whatever.
saslauthd has the gssapi module installed.
I have created an ldap/acorn.squirrel@SQUIRREL key, and added this keytab in /etc/defaults/slapd. acorn.squirrel is the fqdn of the server, SQUIRREL is its kerberos realm.
My clients all run Ubuntu 10.04 LTS (a nice desktop but shitty to get kerberos/ldap authentication work on amongst other griefs).
Current situation after all the hacking: $ ldapwhoami -x -D 'uid=wouter,ou=people,dc=squirrel' -W -h acorn.squirrel Enter LDAP Password: ldap_bind: Invalid credentials (49) when entering my Kerberos password; it accepts my credentials when I enter the LDAP stored password (a different password).
Then I just did: ======================= wouter@acorn:~$ ldapsearch -LLL -s base -b '' '(objectClass=*)' + SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80) wouter@acorn:~$ klist Ticket cache: FILE:/tmp/krb5cc_1000_5lYS4w Default principal: wouter@SQUIRREL
Valid starting Expires Service principal 09/08/10 22:42:07 09/09/10 08:42:07 krbtgt/SQUIRREL@SQUIRREL renew until 09/09/10 22:42:07 09/08/10 22:46:39 09/09/10 08:42:07 ldap/acorn.squirrel@SQUIRREL renew until 09/09/10 22:42:07
Kerberos 4 ticket cache: /tmp/tkt1000 klist: You have no tickets cached =======================
OK it seems ldap gets it's ticket. Issued the moment I ran the above command. Still I get the bind error. But for some reason I do not have a ticket myself, interesting. Running kinit doesn't solve this strangely enough, on the workstations it does give me a ticket. And running kinit kills the ldap ticket. Appears strange to me.
Any ideas? I probably miss something very simple... it shouldn't be that hard to have slapd get its credentials from kerberos!
Thanks!
Wouter.