Hello all,
I'm trying to set up openldap to authenticate using my kerberos service, but I'm not having success so far. I've already set up MIT Kerberos V and I can successfully get tickets from it:
root@filesystem:~# kinit diego.lima Password for diego.lima@USERS: root@filesystem:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: diego.lima@USERS
Valid starting Expires Service principal 06/23/10 09:44:49 06/23/10 19:44:49 krbtgt/USERS@USERS renew until 06/24/10 09:44:46
I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:
root@filesystem:~# testsaslauthd -u diego.lima@USERS -p 123456 0: OK "Success."
The saslauthd output looks like this:
saslauthd[28383] :rel_accept_lock : released accept lock saslauthd[28385] :get_accept_lock : acquired accept lock saslauthd[28383] :do_auth : auth success: [user=diego.lima@USERS] [service=imap] [realm=] [mech=kerberos5] saslauthd[28383] :do_request : response: OK
I've set up my user account on LDAP like this:
dn: krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br krbPrincipalName: diego.lima@USERS krbPrincipalKey:: (big key) krbLastPwdChange: 20100622215607Z objectClass: krbPrincipal objectClass: krbPrincipalAux objectClass: krbTicketPolicyAux objectClass: posixAccount structuralObjectClass: krbPrincipal entryUUID: b4d16a7a-1294-102f-8f9b-2759be64cd18 creatorsName: cn=admin,dc=domain,dc=com,dc=br createTimestamp: 20100622215607Z uid: diego.lima uidNumber: 10001 gidNumber: 10001 cn: diego.lima homeDirectory: /home/diego.lima loginShell: /bin/bash userPassword:: e1NBU0x9ZGllZ28ubGltYUBVU0VSUw== krbLastSuccessfulAuth: 20100623124649Z krbLoginFailedCount: 0 krbExtraData:: (data) krbExtraData:: (data) entryCSN: 20100623124649.354631Z#000000#000#000000 modifiersName: cn=admin,dc=domain,dc=com,dc=br modifyTimestamp: 20100623124649Z
The userPassword value translates to {SASL}diego.lima@USERS
When I try to do an authenticated search on LDAP I see the following:
# ldapsearch -D krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b dc=domain,dc=com,dc=br '(objectClass=*)' -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
And on the slapd output:
daemon: activity on 1 descriptor daemon: activity on: slap_listener_activate(7): daemon: epoll: listen=7 busy daemon: epoll: listen=8 active_threads=0 tvp=zero
slap_listener(ldap:///)
daemon: listen=7, new connection on 18 daemon: added 18r (active) listener=(nil) conn=35 fd=18 ACCEPT from IP=127.0.1.1:51089 (IP=0.0.0.0:389) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 18r daemon: read active on 18 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_get(18) connection_get(18): got connid=35 connection_read(18): checking for input on id=35 ber_get_next ldap_read: want=8, got=8 0000: 30 53 02 01 01 60 4e 02 0S...`N. ldap_read: want=77, got=77 0000: 01 03 04 41 6b 72 62 50 72 69 6e 63 69 70 61 6c ...AkrbPrincipal 0010: 4e 61 6d 65 3d 64 69 65 67 6f 2e 6c 69 6d 61 40 Name=diego.lima@ 0020: 55 53 45 52 53 2c 63 6e 3d 55 53 45 52 53 2c 64 USERS,cn=USERS,d 0030: 63 3d 34 6c 69 6e 75 78 2c 64 63 3d 63 6f 6d 2c c=domain,dc=com, 0040: 64 63 3d 62 72 80 06 31 32 33 34 35 36 dc=br..123456 ber_get_next: tag 0x30 len 83 contents: ber_dump: buf=0x1cc73d0 ptr=0x1cc73d0 end=0x1cc7423 len=83 0000: 02 01 01 60 4e 02 01 03 04 41 6b 72 62 50 72 69 ...`N....AkrbPri 0010: 6e 63 69 70 61 6c 4e 61 6d 65 3d 64 69 65 67 6f ncipalName=diego 0020: 2e 6c 69 6d 61 40 55 53 45 52 53 2c 63 6e 3d 55 .lima@USERS,cn=U 0030: 53 45 52 53 2c 64 63 3d 34 6c 69 6e 75 78 2c 64 SERS,dc=domain,d 0040: 63 3d 63 6f 6d 2c 64 63 3d 62 72 80 06 31 32 33 c=com,dc=br..123 0050: 34 35 36 456 op tag 0x60, time 1277298275 ber_get_next ldap_read: want=8 error=Resource temporarily unavailable conn=35 op=0 do_bind ber_scanf fmt ({imt) ber: ber_dump: buf=0x1cc73d0 ptr=0x1cc73d3 end=0x1cc7423 len=80 0000: 60 4e 02 01 03 04 41 6b 72 62 50 72 69 6e 63 69 `N....AkrbPrinci 0010: 70 61 6c 4e 61 6d 65 3d 64 69 65 67 6f 2e 6c 69 palName=diego.li 0020: 6d 61 40 55 53 45 52 53 2c 63 6e 3d 55 53 45 52 ma@USERS,cn=USER 0030: 53 2c 64 63 3d 34 6c 69 6e 75 78 2c 64 63 3d 63 S,dc=domain,dc=c 0040: 6f 6d 2c 64 63 3d 62 72 80 06 31 32 33 34 35 36 om,dc=br..123456 ber_scanf fmt (m}) ber: ber_dump: buf=0x1cc73d0 ptr=0x1cc741b end=0x1cc7423 len=8 0000: 00 06 31 32 33 34 35 36 ..123456
dnPrettyNormal: <krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br>
=> ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br,0) <= ldap_bv2dn(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0 => ldap_dn2bv(272) <= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br)=0 => ldap_dn2bv(272) <= ldap_dn2bv(krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br)=0 <<< dnPrettyNormal: <krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br>, <krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br> conn=35 op=0 BIND dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br" method=128 do_bind: version=3 dn="krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br" method=128 ==> hdb_bind: dn: krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br bdb_dn2entry("krbPrincipalName=diego.lima@USERS,cn=users,dc=domain,dc=com,dc=br") => access_allowed: auth access to "krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br" "userPassword" requested => acl_get: [1] attr userPassword => slap_access_allowed: result not in cache (userPassword) => acl_mask: access to entry "krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br", attr "userPassword" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: cn=admin,dc=domain,dc=com,dc=br <= check a_dn_pat: anonymous <= acl_mask: [2] applying auth(=xd) (stop) <= acl_mask: [2] mask: auth(=xd) => slap_access_allowed: auth access granted by auth(=xd) => access_allowed: auth access granted by auth(=xd) SASL Canonicalize [conn=35]: authcid="diego.lima@USERS" SASL Canonicalize [conn=35]: authcid="diego.lima@USERS" send_ldap_result: conn=35 op=0 p=3 send_ldap_result: err=49 matched="" text="" send_ldap_response: msgid=1 tag=97 err=49 ber_flush2: 14 bytes to sd 18 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... ldap_write: want=14, written=14 0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1.... conn=35 op=0 RESULT tag=97 err=49 text= daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero daemon: activity on 1 descriptor daemon: activity on: 18r daemon: read active on 18 daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero connection_get(18) connection_get(18): got connid=35 connection_read(18): checking for input on id=35 ber_get_next ldap_read: want=8, got=0
ber_get_next on fd 18 failed errno=0 (Success) connection_read(18): input error=-2 id=35, closing. connection_closing: readying conn=35 sd=18 for close connection_close: conn=35 sd=18 daemon: removing 18 conn=35 fd=18 closed (connection lost) daemon: activity on 1 descriptor daemon: activity on: daemon: epoll: listen=7 active_threads=0 tvp=zero daemon: epoll: listen=8 active_threads=0 tvp=zero
I see nothing on the saslauthd output when I try to log in. Did I miss anything? Please note that I'm trying to use the same kerberos principal as my user, and this is intended. I did try adding another user (account and posixAccount objectClasses) with a separate kerberos principal and that did not work either.
Lastly, here is my slapd.conf:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/kerberos.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap moduleload back_hdb
sizelimit 500
tool-threads 1
backend hdb
database hdb suffix "dc=domain,dc=com,dc=br" rootdn "cn=admin,dc=domain,dc=com,dc=br" directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on checkpoint 512 30
access to attrs=userPassword,shadowLastChange,krbPrincipalKey,krbLastPwdChange by dn="cn=admin,dc=domain,dc=com,dc=br" write by anonymous auth by self write by * none access to dn.base="" by * read access to * by dn="cn=admin,dc=domain,dc=com,dc=br" write by * read
Thanks for the help!
On 23/06/10 10:27 -0300, Diego Lima wrote:
I'm trying to set up openldap to authenticate using my kerberos service, but I'm not having success so far. I've already set up MIT Kerberos V and I can successfully get tickets from it:
root@filesystem:~# kinit diego.lima Password for diego.lima@USERS: root@filesystem:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: diego.lima@USERS
Valid starting Expires Service principal 06/23/10 09:44:49 06/23/10 19:44:49 krbtgt/USERS@USERS renew until 06/24/10 09:44:46
I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:
root@filesystem:~# testsaslauthd -u diego.lima@USERS -p 123456 0: OK "Success."
The userPassword value translates to {SASL}diego.lima@USERS
When I try to do an authenticated search on LDAP I see the following:
# ldapsearch -D krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b dc=domain,dc=com,dc=br '(objectClass=*)' -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
When doing a SASL bind, you should specify the same username that you are authentication with, for saslauthd. Use a '-U diego.lima@USERS' instead of a -D option:
ldapwhoami -U diego.lima@USERS
I see nothing on the saslauthd output when I try to log in. Did I miss anything? Please note that I'm trying to use the same kerberos principal as my user, and this is intended. I did try adding another user (account and posixAccount objectClasses) with a separate kerberos principal and that did not work either.
By default, the cyrus sasl library will not use saslauthd. You'll need to create a /usr/lib/sasl2/slapd.conf file with:
pwcheck_method: saslauthd
Dan White wrote:
On 23/06/10 10:27 -0300, Diego Lima wrote:
I'm trying to set up openldap to authenticate using my kerberos service, but I'm not having success so far.
The userPassword value translates to {SASL}diego.lima@USERS
IMO that's not needed for SASL/GSSAPI.
When I try to do an authenticated search on LDAP I see the following:
# ldapsearch -D krbPrincipalName=diego.lima@USERS,cn=USERS,dc=domain,dc=com,dc=br -b dc=domain,dc=com,dc=br '(objectClass=*)' -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
When doing a SASL bind, you should specify the same username that you are authentication with, for saslauthd. Use a '-U diego.lima@USERS' instead of a -D option:
ldapwhoami -U diego.lima@USERS
He would also have to specify -Y GSSAPI. And off course slapd has to be kerberized first to make this work.
By default, the cyrus sasl library will not use saslauthd. You'll need to create a /usr/lib/sasl2/slapd.conf file with:
pwcheck_method: saslauthd
Are you sure that's suitable for SASL/GSSAPI for Krb5? Frankly I have some doubts because that's for password-based mechs.
Ciao, Michael.
On 30/06/10 18:43 +0200, Michael Ströder wrote:
Dan White wrote:
On 23/06/10 10:27 -0300, Diego Lima wrote:
I'm trying to set up openldap to authenticate using my kerberos service, but I'm not having success so far.
The userPassword value translates to {SASL}diego.lima@USERS
IMO that's not needed for SASL/GSSAPI.
When doing a SASL bind, you should specify the same username that you are authentication with, for saslauthd. Use a '-U diego.lima@USERS' instead of a -D option:
ldapwhoami -U diego.lima@USERS
He would also have to specify -Y GSSAPI. And off course slapd has to be kerberized first to make this work.
Presumably he is doing plaintext authentication to slapd rather than gssapi, and having saslauthd validate the username and password against a kerberos5 server.
Dan White wrote:
On 30/06/10 18:43 +0200, Michael Ströder wrote:
He would also have to specify -Y GSSAPI. And off course slapd has to be kerberized first to make this work.
Presumably he is doing plaintext authentication to slapd rather than gssapi, and having saslauthd validate the username and password against a kerberos5 server.
Why do you think so? Diego mentioned kinit and klist in the original posting:
http://www.openldap.org/lists/openldap-technical/201006/msg00301.html
Therefore I presume he wants to use SASL/GSSAPI. But only he can tell us what he really wants to achieve.
Ciao, Michael.
On 01/07/10 00:18 +0200, Michael Ströder wrote:
Dan White wrote:
On 30/06/10 18:43 +0200, Michael Ströder wrote:
He would also have to specify -Y GSSAPI. And off course slapd has to be kerberized first to make this work.
Presumably he is doing plaintext authentication to slapd rather than gssapi, and having saslauthd validate the username and password against a kerberos5 server.
Why do you think so? Diego mentioned kinit and klist in the original posting:
http://www.openldap.org/lists/openldap-technical/201006/msg00301.html
Therefore I presume he wants to use SASL/GSSAPI. But only he can tell us what he really wants to achieve.
It's clear what his intentions where from this snippet, from the original post:
I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:
root@filesystem:~# testsaslauthd -u diego.lima@USERS -p 123456 0: OK "Success."
Which means he was successful in configuring saslauthd to use the kerberos5 authmech (see the manual page).
His problem is not with any kerberos5 configuration, but rather a usage question in how to use the ldap client utilities and how to configure his user entries to support SASL.
openldap-technical@openldap.org
-
Dan White -
Diego Lima -
Michael Ströder