Hi all,
I'm trying to build OpenLDAP enabling the GSSAPI module, but I can't find any reference on that in the configure file. I'm doing that because I'm writing a client program that want to login to a Windows AD via kerberos. Any help is appreciated.
On 02/14/13 12:19 +0100, Michele wrote:
Hi all,
I'm trying to build OpenLDAP enabling the GSSAPI module, but I can't find any reference on that in the configure file. I'm doing that because I'm writing a client program that want to login to a Windows AD via kerberos. Any help is appreciated.
You'll need to install the cyrus sasl gssapi plugin. Use 'pluginviewer' to view your current list of installed plugins.
Hi this is my pluginviewer and cyrus rpms installed on my machine. I think I already get it.
# pluginviewer Installed SASL (server side) mechanisms are: LOGIN GSSAPI PLAIN ANONYMOUS EXTERNAL List of server plugins follows Plugin "login" [loaded], API version: 4 SASL mechanism: LOGIN, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS features: Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION Plugin "plain" [loaded], API version: 4 SASL mechanism: PLAIN, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION Plugin "anonymous" [loaded], API version: 4 SASL mechanism: ANONYMOUS, best SSF: 0, supports setpass: no security flags: NO_PLAINTEXT features: WANT_CLIENT_FIRST Installed auxprop mechanisms are: sasldb List of auxprop plugins follows Plugin "sasldb" , API version: 4 supports store: yes
Installed SASL (client side) mechanisms are: LOGIN GSSAPI PLAIN ANONYMOUS EXTERNAL List of client plugins follows Plugin "login" [loaded], API version: 4 SASL mechanism: LOGIN, best SSF: 0 security flags: NO_ANONYMOUS features: SERVER_FIRST Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism: GSSAPI, best SSF: 56 security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION|NEED_SERVER_FQDN Plugin "plain" [loaded], API version: 4 SASL mechanism: PLAIN, best SSF: 0 security flags: NO_ANONYMOUS features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION Plugin "anonymous" [loaded], API version: 4 SASL mechanism: ANONYMOUS, best SSF: 0 security flags: NO_PLAINTEXT features: WANT_CLIENT_FIRST Plugin "EXTERNAL" [loaded], API version: 4 SASL mechanism: EXTERNAL, best SSF: 0 security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_DICTIONARY features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION [root@temdev10 ~]# rpm -ql | grep cyrus rpmq: no arguments given for query [root@temdev10 ~]# rpm -qa | grep cyrus cyrus-sasl-plain-2.1.22-5.el5_4.3 cyrus-sasl-gssapi-2.1.22-5.el5_4.3 cyrus-sasl-devel-2.1.22-5.el5_4.3 cyrus-sasl-2.1.22-5.el5_4.3 cyrus-sasl-lib-2.1.22-5.el5_4.3
On Thu, Feb 14, 2013 at 8:44 PM, Dan White dwhite@olp.net wrote:
On 02/14/13 12:19 +0100, Michele wrote:
Hi all,
I'm trying to build OpenLDAP enabling the GSSAPI module, but I can't find any reference on that in the configure file. I'm doing that because I'm writing a client program that want to login to a Windows AD via kerberos. Any help is appreciated.
You'll need to install the cyrus sasl gssapi plugin. Use 'pluginviewer' to view your current list of installed plugins.
-- Dan White
On Thu, Feb 14, 2013 at 8:44 PM, Dan White dwhite@olp.net wrote:
On 02/14/13 12:19 +0100, Michele wrote:
I'm trying to build OpenLDAP enabling the GSSAPI module, but I can't find any reference on that in the configure file. I'm doing that because I'm writing a client program that want to login to a Windows AD via kerberos. Any help is appreciated.
You'll need to install the cyrus sasl gssapi plugin. Use 'pluginviewer' to view your current list of installed plugins.
On 02/18/13 13:13 +0100, Michele wrote:
this is my pluginviewer and cyrus rpms installed on my machine. I think I already get it.
# pluginviewer Installed SASL (server side) mechanisms are: LOGIN GSSAPI PLAIN ANONYMOUS EXTERNAL List of server plugins follows Plugin "login" [loaded], API version: 4 SASL mechanism: LOGIN, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS features: Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
[root@temdev10 ~]# rpm -ql | grep cyrus rpmq: no arguments given for query [root@temdev10 ~]# rpm -qa | grep cyrus cyrus-sasl-plain-2.1.22-5.el5_4.3 cyrus-sasl-gssapi-2.1.22-5.el5_4.3 cyrus-sasl-devel-2.1.22-5.el5_4.3 cyrus-sasl-2.1.22-5.el5_4.3 cyrus-sasl-lib-2.1.22-5.el5_4.3
You have the necessary sasl components installed to support gssapi authentication. To verify that your AD server supports gssapi:
ldapsearch -LLL -x -H ldap://ad.example.org -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5
See the FAQ entry "How do I configure OpenLDAP+SASL+GSSAPI" here (the client side details should still apply):
http://www.cyrussasl.org/mediawiki/index.php/FAQ
Ok I've tried that and my AD server supports all mechanism you listed above. The problem is that I'm compiling a client application and I'd like to use GSSAPI mechanism, but when I compile OpenLDAP I'm not sure if it is compiling also the GSSAPI stuff. Also when I try to connect my client to my AD server it says that no mechanism are available. Thanks
On Mon, Feb 18, 2013 at 3:33 PM, Dan White dwhite@olp.net wrote:
On Thu, Feb 14, 2013 at 8:44 PM, Dan White dwhite@olp.net wrote:
On 02/14/13 12:19 +0100, Michele wrote:
I'm trying to build OpenLDAP enabling the GSSAPI module, but I can't find any reference on that in the configure file. I'm doing that because I'm writing a client program that want to login to a Windows AD via kerberos. Any help is appreciated.
You'll need to install the cyrus sasl gssapi plugin. Use 'pluginviewer' to view your current list of installed plugins.
On 02/18/13 13:13 +0100, Michele wrote:
this is my pluginviewer and cyrus rpms installed on my machine. I think I already get it.
# pluginviewer Installed SASL (server side) mechanisms are: LOGIN GSSAPI PLAIN ANONYMOUS EXTERNAL List of server plugins follows Plugin "login" [loaded], API version: 4 SASL mechanism: LOGIN, best SSF: 0, supports setpass: no security flags: NO_ANONYMOUS features: Plugin "gssapiv2" [loaded], API version: 4 SASL mechanism: GSSAPI, best SSF: 56, supports setpass: no security flags: NO_ANONYMOUS|NO_PLAINTEXT|NO_ACTIVE|PASS_CREDENTIALS|MUTUAL_AUTH features: WANT_CLIENT_FIRST|PROXY_AUTHENTICATION
[root@temdev10 ~]# rpm -ql | grep cyrus rpmq: no arguments given for query [root@temdev10 ~]# rpm -qa | grep cyrus cyrus-sasl-plain-2.1.22-5.el5_4.3 cyrus-sasl-gssapi-2.1.22-5.el5_4.3 cyrus-sasl-devel-2.1.22-5.el5_4.3 cyrus-sasl-2.1.22-5.el5_4.3 cyrus-sasl-lib-2.1.22-5.el5_4.3
You have the necessary sasl components installed to support gssapi authentication. To verify that your AD server supports gssapi:
ldapsearch -LLL -x -H ldap://ad.example.org -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5
See the FAQ entry "How do I configure OpenLDAP+SASL+GSSAPI" here (the client side details should still apply):
http://www.cyrussasl.org/mediawiki/index.php/FAQ
-- Dan White
Hi Michele,
On 02/19/2013 11:31 AM, Michele wrote:
Ok I've tried that and my AD server supports all mechanism you listed above. The problem is that I'm compiling a client application and I'd like to use GSSAPI mechanism, but when I compile OpenLDAP I'm not sure if it is compiling also the GSSAPI stuff.
It should include it if you have the cyrus-sasl-devel RPM installed and assuming the client has the proper Makefile stuff to include it and link to it. You can verify the client binary with the ldd command. Example output:
$ ldd /usr/local/bin/ldapsearch | egrep -i 'sasl|gssapi' libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x00000031fac00000) libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2
Also when I try to connect my client to my AD server it says that no mechanism are available. Thanks
I don't know much about AD but supporting a mechanism and actually offering may be two different things. Is GSSAPI actually enabled?
On the client side make sure that you have the cyrus-sasl-gssapi and krb5-libs RPMs installed.
Regards, Patrick
On Mon, Feb 18, 2013 at 3:33 PM, Dan White dwhite@olp.net wrote:
You have the necessary sasl components installed to support gssapi authentication. To verify that your AD server supports gssapi:
ldapsearch -LLL -x -H ldap://ad.example.org -s "base" -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5
See the FAQ entry "How do I configure OpenLDAP+SASL+GSSAPI" here (the client side details should still apply):
On 02/19/13 11:31 +0100, Michele wrote:
Ok I've tried that and my AD server supports all mechanism you listed above. The problem is that I'm compiling a client application and I'd like to use GSSAPI mechanism, but when I compile OpenLDAP I'm not sure if it is compiling also the GSSAPI stuff. Also when I try to connect my client to my AD server it says that no mechanism are available.
Compiling in SASL support should be sufficient.
One way to trouble shoot is to use the provided ldap utilities to verify gssapi authentication before trouble shooting your client application.
~$ kinit dan@AD.DOMAIN dan@AD.COM's Password: ~$ ldapwhoami -Y GSSAPI -H ldap://ldap.ad.domain SASL/GSSAPI authentication started SASL username: dan@AD.DOMAIN SASL SSF: 56 SASL data security layer installed. ldap_parse_result: Protocol error (2) additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece Result: Protocol error (2) Additional info: 0000203D: LdapErr: DSID-0C090C7D, comment: Unknown extended request OID, data 0, vece
Regardless of the error above (Active Directory 2003 apparently does not support the whoami extended operation), this is a successful authentication (you would see a bind error otherwise).
~$ klist Credentials cache: FILE:/tmp/krb5cc_1005 Principal: dan@AD.DOMAIN
Issued Expires Principal Feb 19 08:30:38 Feb 19 18:30:38 krbtgt/AD.DOMAIN@AD.DOMAIN Feb 19 08:31:12 Feb 19 18:30:38 ldap/ldap.ad.domain@ Feb 19 08:31:12 Feb 19 18:30:38 ldap/ldap.ad.domain@AD.DOMAIN
openldap-technical@openldap.org
-
Dan White -
Michele -
Patrick Lists