Hi, We are currently trying to use OpenLDAP as the database for Kerberos in our lab. We installed OpenLDAP in Ubuntu 10.04 and is working without any problem (i,e. queries are showing the correct results) But we are not able to get Kerberos authenticate via OpenLDAP.
For authenticating via OpenLDAP, the principles needs to be rewritten (using authz-policy and authz-regexp). We know how to do that in older version of OpenLDAP which had (slapd.conf) but don't know how to do the same in new OpenLDAP which has slapd.d directory instead. The manuals also doesn't say anything on this issue.
We did the following for testing authentication via Kerberos:
kinit username; ldapsearch -H ldaps://server.example.com
And we got this result:
SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database
We just want to perform this:
authz-policy from authz-regexp uid=(.*),cn=example.com,cn=GSSAPI,cn=auth uid=$1,ou=people,dc=example,dc=com
We think adding this in slapd.conf should serve the purpose. Any suggestions/help is highly appreciated.
--On Friday, January 07, 2011 9:22 PM +0530 sarathkrishna89@gmail.com wrote:
We think adding this in slapd.conf should serve the purpose. Any suggestions/help is highly appreciated.
Use slaptest to convert your slapd.conf file to the slapd-config format, and read what it does for the authz regexp. Then you'll clearly see how to handle what you did in slapd.conf in the new format.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Quanah Gibson-Mount wrote:
--On Friday, January 07, 2011 9:22 PM +0530 sarathkrishna89@gmail.com wrote:
We think adding this in slapd.conf should serve the purpose. Any suggestions/help is highly appreciated.
Use slaptest to convert your slapd.conf file to the slapd-config format, and read what it does for the authz regexp. Then you'll clearly see how to handle what you did in slapd.conf in the new format.
Or just read the slapd-config(5) manpage and the Admin Guide...
On Fri, Jan 07, 2011 at 09:22:01PM +0530, sarathkrishna89@gmail.com wrote:
For authenticating via OpenLDAP, the principles needs to be rewritten (using authz-policy and authz-regexp). We know how to do that in older version of OpenLDAP which had (slapd.conf) but don't know how to do the same in new OpenLDAP which has slapd.d directory instead. The manuals also doesn't say anything on this issue.
man slapd-config
scroll down to:
olcAuthzPolicy olcAuthzRegexp
authz-regexp uid=(.*),cn=[2]example.com,cn=GSSAPI,cn=auth uid=$1,ou=people,dc=example,dc=com
If you are using multiple Kerberos realms, please note that the current documentation of auth DNs is wrong (see ITS#6757)
Proposed correction is below.
Regards,
Brian.
--- openldap/doc/guide/admin/sasl.sdf.orig 2011-01-03 15:15:55.754879001 +0530 +++ openldap/doc/guide/admin/sasl.sdf 2011-01-03 15:38:55.188208002 +0530 @@ -135,25 +135,35 @@ For the purposes of authentication and authorization, {{slapd}}(8) associates an authentication request DN of the form:
-> uid=<primary[/instance]>,cn=<realm>,cn=gssapi,cn=auth +> uid=<primary[/instance][@realm]>,cn=gssapi,cn=auth + +The realm is omitted by Cyrus SASL if it's equal to the default realm of the +server in {{FILE:/etc/krb5.conf}}.
Continuing our example, a user with the Kerberos principal {{EX:kurt@EXAMPLE.COM}} would have the associated DN:
-> uid=kurt,cn=example.com,cn=gssapi,cn=auth +> uid=kurt,cn=gssapi,cn=auth
and the principal {{EX:ursula/admin@FOREIGN.REALM}} would have the associated DN:
-> uid=ursula/admin,cn=foreign.realm,cn=gssapi,cn=auth +> uid=ursula/admin@foreign.realm,cn=gssapi,cn=auth
-The authentication request DN can be used directly ACLs and +The authentication request DN can be used directly in ACLs and {{EX:groupOfNames}} "member" attributes, since it is of legitimate LDAP DN format. Or alternatively, the authentication DN could be mapped before use. See the section {{SECT:Mapping Authentication Identities}} for details.
+If you configure olcSaslRealm then it is always inserted as an extra +component in the authorization DN, regardless of the realm of the client. +For example, if you set olcSaslRealm to {{EX:example.com}} then you will +get: + +> uid=kurt,cn=example.com,cn=gssapi,cn=auth +> uid=ursula/admin@foreign.realm,cn=example.com,cn=gssapi,cn=auth
H3: KERBEROS_V4
Quoting "sarathkrishna89@gmail.com" sarathkrishna89@gmail.com:
For authenticating via OpenLDAP, the principles needs to be rewritten (using authz-policy and authz-regexp). We know how to do that in older version of OpenLDAP which had (slapd.conf) but don't know how to do the same in new OpenLDAP which has slapd.d directory instead. The manuals also doesn't say anything on this issue.
The switch from slapd.conf to cn=config takes a little getting used to, plus the migration script may not work for you, but in the end I produced a set of procedures that should tell you most of what you want to know:
* Integrated Kerberos-OpenLDAP provider on Debian squeeze http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php
* Integrated Kerberos-OpenLDAP consumer on Debian squeeze http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-consumer.php
True, I didn't use Ubuntu in these examples, but I would not be surprised if the procedures were almost identical, certainly with cn=config.
Cheers,
Jaap
Jaap Winius wrote:
Quoting "sarathkrishna89@gmail.com"sarathkrishna89@gmail.com:
For authenticating via OpenLDAP, the principles needs to be rewritten (using authz-policy and authz-regexp). We know how to do that in older version of OpenLDAP which had (slapd.conf) but don't know how to do the same in new OpenLDAP which has slapd.d directory instead. The manuals also doesn't say anything on this issue.
The switch from slapd.conf to cn=config takes a little getting used to, plus the migration script may not work for you, but in the end I produced a set of procedures that should tell you most of what you want to know:
* Integrated Kerberos-OpenLDAP provider on Debian squeeze http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-provider.php * Integrated Kerberos-OpenLDAP consumer on Debian squeeze http://www.rjsystems.nl/en/2100-d6-kerberos-openldap-consumer.php
True, I didn't use Ubuntu in these examples, but I would not be surprised if the procedures were almost identical, certainly with cn=config.
If you read http://highlandsun.com/hyc/drafts/draft-chu-ldap-xordered-xx.html
You could simplify your ACL changes in 7.1.1.x.
dn: olcDatabase={1}hdb,cn=config changetype: modify delete: olcAccess olcAccess: {2} olcAccess: {1} olcAccess: {0} -
Similarly in 7.1.2.x you don't need to specify the prefixes when you're adding rules in order.
Cheers,
Jaap
openldap-technical@openldap.org
-
Brian Candler -
Howard Chu -
Jaap Winius -
Quanah Gibson-Mount -
sarathkrishna89@gmail.com