Hello, I recently added Kerberos authentication to my LDAP server, and I am trying to connect the other servers to it.I have a server running Davical shared calendar, and I hope to get it working with my LDAP server again after Kerberos integration. Here is my configuration which was working before the integration and my source is "http://wiki.davical.org/w/Configuration/LDAP#Kerberos_Authentication" $c->authenticate_hook['config'] = array( 'host' => 'ldap.domain.com', //host name of your LDAP Server 'port' => '389', //port// 'bindDN' => 'cn=admin,dc=domain,dc=com', //DN to bind request to this server (if required)// 'passDN' => 'password', //Password of request bind 'baseDNUsers' => 'ou=People,dc=domain,dc=com', //where to look for valid user 'filterUsers' => 'objectClass=*', //filter which must validate a user according to RFC4515, i.e. surrounded by brackets 'protocolVersion' => 3, // important for simple auth (no sasl)// 'startTLS' => true, // securing your LDAP connection 'i_use_mode_kerberos' => "i_know_what_i_am_doing", My slapd error logs:Jan 31 23:40:00 ldap slapd[1059]: conn=1273 fd=43 ACCEPT from IP=203.28.247.193:56887 (IP=0.0.0.0:389)Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=0 BIND dn="" method=128Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=0 RESULT tag=97 err=0 text=Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SRCH base="ou=People,dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)"Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SRCH attr=uid modifyTimestamp cn mailJan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=2 UNBIND My OLC configuration:root@ldap:/var/log# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))"dn: cn=configobjectClass: olcGlobalcn: configolcArgsFile: /var/run/slapd/slapd.argsolcAuthzRegexp: {0}uid=([^,]+),cn=domain.com,cn=gssapi,cn=auth uid=$1 ,ou=people,dc=domain,dc=comolcLogLevel: statsolcPidFile: /var/run/slapd/slapd.pidolcSaslRealm: DOMAIN.COMolcToolThreads: 1 dn: olcDatabase={1}hdb,cn=configobjectClass: olcDatabaseConfigobjectClass: olcHdbConfigolcDatabase: {1}hdbolcDbDirectory: /var/lib/ldapolcSuffix: dc=domain,dc=comolcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by * no neolcAccess: {1}to dn.subtree="ou=krb5,dc=domain,dc=com" by dn="c n=adm-srv,ou=krb5,domain,dc=com" write by dn="cn=kdc-srv,ou =krb5,domain,dc=com" read by * noneolcAccess: {2}to attrs=loginShell,gecos by self write by users read by * noneolcAccess: {3}to dn.base="" by * readolcAccess: {4}to * by users read by * noneolcLastMod: TRUEolcRootDN: uid=admin,ou=people,domain,dc=com
Any suggestion to fix the binding and get my search working again with kerberos authentication ? Thanks.
On 02/01/13 10:08 +1100, Asmaa Ahmed wrote:
Hello,
I recently added Kerberos authentication to my LDAP server, and I am trying to connect the other servers to it. I have a server running Davical shared calendar, and I hope to get it working with my LDAP server again after Kerberos integration.
Here is my configuration which was working before the integration and my source is "http://wiki.davical.org/w/Configuration/LDAP#Kerberos_Authentication"
$c->authenticate_hook['config'] = array( 'host' => 'ldap.domain.com', //host name of your LDAP Server 'port' => '389', //port // 'bindDN' => 'cn=admin,dc=domain,dc=com', //DN to bind request // to this server (if required) // 'passDN' => 'password', //Password of request bind 'baseDNUsers' => 'ou=People,dc=domain,dc=com', //where to look for valid user 'filterUsers' => 'objectClass=*', //filter which must validate a user according to RFC4515, i.e. surrounded by brackets 'protocolVersion' => 3, // important for simple auth (no sasl) // 'startTLS' => true, // securing your LDAP connection 'i_use_mode_kerberos' => "i_know_what_i_am_doing",
My slapd error logs: Jan 31 23:40:00 ldap slapd[1059]: conn=1273 fd=43 ACCEPT from IP=203.28.247.193:56887 (IP=0.0.0.0:389) Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=0 BIND dn="" method=128 Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=0 RESULT tag=97 err=0 text= Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SRCH base="ou=People,dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)" Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SRCH attr=uid modifyTimestamp cn mail Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=2 UNBIND
My OLC configuration: root@ldap:/var/log# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))" dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcAuthzRegexp: {0}uid=([^,]+),cn=domain.com,cn=gssapi,cn=auth uid=$1 ,ou=people,dc=domain,dc=com olcLogLevel: stats olcPidFile: /var/run/slapd/slapd.pid olcSaslRealm: DOMAIN.COM olcToolThreads: 1
dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=domain,dc=com olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by * no ne olcAccess: {1}to dn.subtree="ou=krb5,dc=domain,dc=com" by dn="c n=adm-srv,ou=krb5,domain,dc=com" write by dn="cn=kdc-srv,ou =krb5,domain,dc=com" read by * none olcAccess: {2}to attrs=loginShell,gecos by self write by users read by * none olcAccess: {3}to dn.base="" by * read olcAccess: {4}to * by users read by * none olcLastMod: TRUE olcRootDN: uid=admin,ou=people,domain,dc=com
Any suggestion to fix the binding and get my search working again with kerberos authentication ?
Thanks.
Can you reproduce this problem with ldapsearch and/or ldapwhoami (-Y GSSAPI) on the server which is running davical?
No, don't have any problem while running these commands from there!I can retrieve my data successfully.
Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND dn="" method=163Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND authcid="aahmed@DOMAIN.COM" authzid="aahmed@DOMAIN.COM"Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND dn="uid=aahmed,ou=people,dc=domain,dc=com" mech=GSSAPI sasl_ssf=56 ssf=56Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 RESULT tag=97 err=0 text=Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=3 SRCH base="dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)"Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=3 SEARCH RESULT tag=101 err=0 nentries=11 text=Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=4 UNBIND Thanks.
Date: Fri, 1 Feb 2013 13:53:29 -0600 From: dwhite@olp.net To: asabatgirl@hotmail.com CC: openldap-technical@openldap.org Subject: Re: client server connection to LDAP/Kerberos
On 02/01/13 10:08 +1100, Asmaa Ahmed wrote:
Hello,
I recently added Kerberos authentication to my LDAP server, and I am trying to connect the other servers to it. I have a server running Davical shared calendar, and I hope to get it working with my LDAP server again after Kerberos integration.
Here is my configuration which was working before the integration and my source is "http://wiki.davical.org/w/Configuration/LDAP#Kerberos_Authentication"
$c->authenticate_hook['config'] = array( 'host' => 'ldap.domain.com', //host name of your LDAP Server 'port' => '389', //port // 'bindDN' => 'cn=admin,dc=domain,dc=com', //DN to bind request // to this server (if required) // 'passDN' => 'password', //Password of request bind 'baseDNUsers' => 'ou=People,dc=domain,dc=com', //where to look for valid user 'filterUsers' => 'objectClass=*', //filter which must validate a user according to RFC4515, i.e. surrounded by brackets 'protocolVersion' => 3, // important for simple auth (no sasl) // 'startTLS' => true, // securing your LDAP connection 'i_use_mode_kerberos' => "i_know_what_i_am_doing",
My slapd error logs: Jan 31 23:40:00 ldap slapd[1059]: conn=1273 fd=43 ACCEPT from IP=203.28.247.193:56887 (IP=0.0.0.0:389) Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=0 BIND dn="" method=128 Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=0 RESULT tag=97 err=0 text= Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SRCH base="ou=People,dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)" Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SRCH attr=uid modifyTimestamp cn mail Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text= Jan 31 23:40:00 ldap slapd[1059]: conn=1273 op=2 UNBIND
My OLC configuration: root@ldap:/var/log# ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config "(|(cn=config)(olcDatabase={1}hdb))" dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcAuthzRegexp: {0}uid=([^,]+),cn=domain.com,cn=gssapi,cn=auth uid=$1 ,ou=people,dc=domain,dc=com olcLogLevel: stats olcPidFile: /var/run/slapd/slapd.pid olcSaslRealm: DOMAIN.COM olcToolThreads: 1
dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=domain,dc=com olcAccess: {0}to attrs=userPassword,shadowLastChange by anonymous auth by * no ne olcAccess: {1}to dn.subtree="ou=krb5,dc=domain,dc=com" by dn="c n=adm-srv,ou=krb5,domain,dc=com" write by dn="cn=kdc-srv,ou =krb5,domain,dc=com" read by * none olcAccess: {2}to attrs=loginShell,gecos by self write by users read by * none olcAccess: {3}to dn.base="" by * read olcAccess: {4}to * by users read by * none olcLastMod: TRUE olcRootDN: uid=admin,ou=people,domain,dc=com
Any suggestion to fix the binding and get my search working again with kerberos authentication ?
Thanks.
Can you reproduce this problem with ldapsearch and/or ldapwhoami (-Y GSSAPI) on the server which is running davical?
-- Dan White
That would suggest you have a problem is with your Davical configuration. Try consulting their mailing list/support contact.
On 02/02/13 12:05 +1100, Asmaa Ahmed wrote:
No, don't have any problem while running these commands from there!I can retrieve my data successfully.
Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND dn="" method=163Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND authcid="aahmed@DOMAIN.COM" authzid="aahmed@DOMAIN.COM"Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND dn="uid=aahmed,ou=people,dc=domain,dc=com" mech=GSSAPI sasl_ssf=56 ssf=56Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 RESULT tag=97 err=0 text=Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=3 SRCH base="dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)"Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=3 SEARCH RESULT tag=101 err=0 nentries=11 text=Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=4 UNBIND Thanks.
Date: Fri, 1 Feb 2013 13:53:29 -0600 From: dwhite@olp.net To: asabatgirl@hotmail.com CC: openldap-technical@openldap.org Subject: Re: client server connection to LDAP/Kerberos
On 02/01/13 10:08 +1100, Asmaa Ahmed wrote:
Hello,
I recently added Kerberos authentication to my LDAP server, and I am trying to connect the other servers to it. I have a server running Davical shared calendar, and I hope to get it working with my LDAP server again after Kerberos integration.
Can you reproduce this problem with ldapsearch and/or ldapwhoami (-Y GSSAPI) on the server which is running davical?
I did, but still haven't get a response.I just want to confirm something here from the debug logs of apache and ldap/kerb servers that it is davical fault nothing more!As now I am trying to do the authentication using apache
From apache while trying to login, got that:
[Tue Feb 05 02:58:29 2013] [debug] src/mod_auth_kerb.c(994): [client 203.28.249.33] Using HTTP/calendar.domain.com@ as server principal for password verification[Tue Feb 05 02:58:29 2013] [debug] src/mod_auth_kerb.c(698): [client 203.28.249.33] Trying to get TGT for user aahmed@DOMAIN.COM[Tue Feb 05 02:58:29 2013] [debug] src/mod_auth_kerb.c(609): [client 203.28.249.33] Trying to verify authenticity of KDC using principal HTTP/calendar.domain.com@[Tue Feb 05 02:58:29 2013] [debug] src/mod_auth_kerb.c(1073): [client 203.28.249.33] kerb_authenticate_user_krb5pwd ret=0 user=aahmed@DOMAIN.COM authtype=Basic[Tue Feb 05 02:58:29 2013] [debug] src/mod_auth_kerb.c(1534): [client 203.28.249.33] kerb_authenticate_a_name_to_local_name aahmed@DOMAIN.COM -> aahmed[Tue Feb 05 02:58:29 2013] [error] [client 203.28.249.33] davical: ***: ERROR:drivers_ldap : Unable to find the user with filter (&(objectClass=*)(uid=aahmed))
And can see the request also goes in my ldap/kerb server. I don't understand why having multiple entries here, but I can see clearly that some of them are successful and return an entry! Feb 5 02:56:32 ldap slapd[1059]: conn=1459 op=4111 SRCH base="cn=DOMAIN.COM,ou=krb5,dc=domain,dc=com" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=aahmed@DOMAIN.COM))"Feb 5 02:56:32 ldap slapd[1059]: conn=1459 op=4111 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbExtraData krbObjectReferences krbAllowedToDelegateToFeb 5 02:56:32 ldap slapd[1059]: conn=1459 op=4111 SEARCH RESULT tag=101 err=0 nentries=1 text=Feb 5 02:56:32 ldap slapd[1059]: conn=1459 op=4113 SRCH base="cn=DOMAIN.COM,ou=krb5,dc=domain,dc=com" scope=2 deref=0 filter="(&(|(objectClass=krbPrincipalAux)(objectClass=krbPrincipal))(krbPrincipalName=aahmed/SNK4@DOMAIN.COM))"Feb 5 02:56:32 ldap slapd[1059]: conn=1459 op=4113 SRCH attr=krbprincipalname krbcanonicalname objectclass krbprincipalkey krbmaxrenewableage krbmaxticketlife krbticketflags krbprincipalexpiration krbticketpolicyreference krbUpEnabled krbpwdpolicyreference krbpasswordexpiration krbLastFailedAuth krbLoginFailedCount krbLastSuccessfulAuth krbLastPwdChange krbExtraData krbObjectReferences krbAllowedToDelegateToFeb 5 02:56:32 ldap slapd[1059]: conn=1459 op=4113 SEARCH RESULT tag=101 err=0 nentries=0 text=--Feb 5 02:56:32 ldap slapd[1059]: conn=1507 fd=43 ACCEPT from IP=203.28.247.193:38068 (IP=0.0.0.0:389)Feb 5 02:56:32 ldap slapd[1059]: conn=1507 op=0 BIND dn="" method=128Feb 5 02:56:32 ldap slapd[1059]: conn=1507 op=0 RESULT tag=97 err=0 text=Feb 5 02:56:32 ldap slapd[1059]: conn=1507 op=1 SRCH base="ou=People,dc=domain,dc=com" scope=2 deref=0 filter="(&(objectClass=*)(uid=aahmed))"Feb 5 02:56:32 ldap slapd[1059]: conn=1507 op=1 SRCH attr=uid cn mail modifyTimestampFeb 5 02:56:32 ldap slapd[1059]: conn=1507 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
Date: Sun, 3 Feb 2013 17:11:09 -0600 From: dwhite@olp.net To: asabatgirl@hotmail.com Subject: Re: client server connection to LDAP/Kerberos CC: openldap-technical@openldap.org
That would suggest you have a problem is with your Davical configuration. Try consulting their mailing list/support contact.
On 02/02/13 12:05 +1100, Asmaa Ahmed wrote:
No, don't have any problem while running these commands from there!I can retrieve my data successfully.
Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND dn="" method=163Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND authcid="aahmed@DOMAIN.COM" authzid="aahmed@DOMAIN.COM"Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 BIND dn="uid=aahmed,ou=people,dc=domain,dc=com" mech=GSSAPI sasl_ssf=56 ssf=56Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=2 RESULT tag=97 err=0 text=Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=3 SRCH base="dc=domain,dc=com" scope=2 deref=0 filter="(objectClass=*)"Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=3 SEARCH RESULT tag=101 err=0 nentries=11 text=Feb 2 11:59:49 ldap slapd[1059]: conn=1374 op=4 UNBIND Thanks.
Date: Fri, 1 Feb 2013 13:53:29 -0600 From: dwhite@olp.net To: asabatgirl@hotmail.com CC: openldap-technical@openldap.org Subject: Re: client server connection to LDAP/Kerberos
On 02/01/13 10:08 +1100, Asmaa Ahmed wrote:
Hello,
I recently added Kerberos authentication to my LDAP server, and I am trying to connect the other servers to it. I have a server running Davical shared calendar, and I hope to get it working with my LDAP server again after Kerberos integration.
Can you reproduce this problem with ldapsearch and/or ldapwhoami (-Y GSSAPI) on the server which is running davical?
-- Dan White
openldap-technical@openldap.org
-
Asmaa Ahmed -
Dan White