Thank you for the response. I ran the command and it looks like there's none supported.. This is strange. How can I allow GSSAPI?
frisbee# /usr/local/bin/ldapsearch -x -H ldap://localhost -b "" -s base supportedSaslMechanisms # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedSaslMechanisms #
# dn:
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
On Mon, Aug 10, 2009 at 9:29 AM, cr4z3d@gmail.com wrote:
I apologize for that it was early in the morning. Gmail likes to reply to sender ------Original Message------ From: Dieter Kluenter To: Allan Subject: Re: OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite Sent: Aug 10, 2009 8:46 AM
Please no private mail, stay on the mailinglist, unless you want to buy my professional support.
-Dieter
Allan cr4z3d@gmail.com writes:
Thank you for the response. I ran the command and it looks like there's
none
supported.. This is strange. How can I allow GSSAPI?
frisbee# /usr/local/bin/ldapsearch -x -H ldap://localhost -b "" -s base supportedSaslMechanisms # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedSaslMechanisms #
# dn:
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E
Allan cr4z3d@gmail.com writes:
Thank you for the response. I ran the command and it looks like there's none supported.. This is strange. How can I allow GSSAPI?
frisbee# /usr/local/bin/ldapsearch -x -H ldap://localhost -b "" -s base supportedSaslMechanisms # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedSaslMechanisms #
# dn:
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Is openldap compiled with sasl support? is lib/sasl2/libgssapi or any other sasl mechanism available?
-Dieter
OpenLDAP is compiled with SASL support. I remember checking the box for SASL and if I cd /usr/ports/net/openldap24-server && make config I see that SASL is indeed marked. As far as checking for libgssapi, I ran the following to verify:
frisbee# locate libgssapi /usr/lib/libgssapi.a /usr/lib/libgssapi.so /usr/lib/libgssapi.so.9 /usr/lib/libgssapi_krb5.a /usr/lib/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so.9 /usr/local/lib/sasl2/libgssapiv2.a /usr/local/lib/sasl2/libgssapiv2.la /usr/local/lib/sasl2/libgssapiv2.so /usr/local/lib/sasl2/libgssapiv2.so.2
On Mon, Aug 10, 2009 at 5:28 PM, Dieter Kluenter dieter@dkluenter.dewrote:
Allan cr4z3d@gmail.com writes:
Thank you for the response. I ran the command and it looks like there's
none supported.. This is strange.
How can I allow GSSAPI?
frisbee# /usr/local/bin/ldapsearch -x -H ldap://localhost -b "" -s base
supportedSaslMechanisms
# extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: supportedSaslMechanisms #
# dn:
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
Is openldap compiled with sasl support? is lib/sasl2/libgssapi or any other sasl mechanism available?
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E
Allan cr4z3d@gmail.com writes:
OpenLDAP is compiled with SASL support. I remember checking the box for SASL and if I cd /usr/ports/net/openldap24-server && make config I see that SASL is indeed marked. As far as checking for libgssapi, I ran the following to verify:
frisbee# locate libgssapi /usr/lib/libgssapi.a /usr/lib/libgssapi.so /usr/lib/libgssapi.so.9 /usr/lib/libgssapi_krb5.a /usr/lib/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so.9 /usr/local/lib/sasl2/libgssapiv2.a /usr/local/lib/sasl2/libgssapiv2.la /usr/local/lib/sasl2/libgssapiv2.so /usr/local/lib/sasl2/libgssapiv2.so.2
Hm, I don't know much about freeBSD but this seems to be a libsasl problem. Check wether slapd has really been built with libsasl, and if the dynamic linker provides all relevant libraries. Googling for freeBSD+libsasl+libgssapiv2 supplied lots of hits, mostly postfix related, but this wouldn't matter here.
-Dieter
Allan cr4z3d@gmail.com writes:
OpenLDAP is compiled with SASL support. I remember checking the box for SASL and if I cd /usr/ports/net/openldap24-server && make config I see that SASL is indeed marked. As far as checking for libgssapi, I ran the following to verify:
is libsasl really linked to slapd? 'ldd slapd' or whatever tool is supplied with freeBSD, will proof it.
frisbee# locate libgssapi /usr/lib/libgssapi.a /usr/lib/libgssapi.so /usr/lib/libgssapi.so.9 /usr/lib/libgssapi_krb5.a /usr/lib/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so.9 /usr/local/lib/sasl2/libgssapiv2.a /usr/local/lib/sasl2/libgssapiv2.la /usr/local/lib/sasl2/libgssapiv2.so /usr/local/lib/sasl2/libgssapiv2.so.2
this looks similar to mine, and the output of ldapsearch is:
dieter@rubin:~> ldapsearch -x -LLL -ZZ -H ldap://localhost -b "" -s base supportedSaslMechanisms dn: supportedSASLMechanisms: PLAIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: EXTERNAL
I really suspect that libsasl is not linked to slapd.
-Dieter
Seems like slapd is linked to gssapi and sasl. Are there simply command line options I'm missing to start up slapd?
frisbee# ldd /usr/local/libexec/slapd /usr/local/libexec/slapd: libldap_r-2.4.so.6 => /usr/local/lib/libldap_r-2.4.so.6 (0x2820b000) liblber-2.4.so.6 => /usr/local/lib/liblber-2.4.so.6 (0x28250000) libdb-4.6.so.0 => /usr/local/lib/libdb-4.6.so.0 (0x2825d000) libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28385000) libgssapi.so.9 => /usr/lib/libgssapi.so.9 (0x2839c000) libssl.so.5 => /usr/lib/libssl.so.5 (0x283a3000) libcrypto.so.5 => /lib/libcrypto.so.5 (0x283e4000) libfetch.so.5 => /usr/lib/libfetch.so.5 (0x2853d000) libcom_err.so.4 => /usr/lib/libcom_err.so.4 (0x2854a000) libcrypt.so.4 => /lib/libcrypt.so.4 (0x2854c000) libwrap.so.5 => /usr/lib/libwrap.so.5 (0x28565000) libthr.so.3 => /lib/libthr.so.3 (0x2856c000) libc.so.7 => /lib/libc.so.7 (0x28581000)
Here's the config I used to make openldap just to be sure it wasn't a compile error:
frisbee# cd /usr/ports/net/openldap24-server/ frisbee# make showconfig ===> The following configuration options are available for openldap-sasl-server-2.4.16: SASL=on "With (Cyrus) SASL2 support" DYNACL=off "Run-time loadable ACL (experimental)" ACI=off "Per-object ACI (experimental)" DNSSRV=off "With Dnssrv backend" PASSWD=on "With Passwd backend" PERL=off "With Perl backend" RELAY=on "With Relay backend" SHELL=off "With Shell backend (disables threading)" SOCK=off "With Sock backend" ODBC=off "With SQL backend" RLOOKUPS=off "With reverse lookups of client hostnames" SLP=off "With SLPv2 (RFC 2608) support" SLAPI=off "With Netscape SLAPI plugin API" TCP_WRAPPERS=on "With tcp wrapper support" BDB=on "With BerkeleyDB support" ACCESSLOG=off "With In-Directory Access Logging overlay" AUDITLOG=off "With Audit Logging overlay" COLLECT=off "With Collect overy Services overlay" CONSTRAINT=off "With Attribute Constraint overlay" DDS=on "With Dynamic Directory Services overlay" DEREF=off "With Dereference overlay" DYNGROUP=on "With Dynamic Group overlay" DYNLIST=on "With Dynamic List overlay" LASTMOD=on "With Last Modification overlay" MEMBEROF=off "With Reverse Group Membership overlay" PPOLICY=on "With Password Policy overlay" PROXYCACHE=off "With Proxy Cache overlay" REFINT=on "With Referential Integrity overlay" RETCODE=on "With Return Code testing overlay" RWM=on "With Rewrite/Remap overlay" SEQMOD=on "Sequential Modify overlay" SYNCPROV=on "With Syncrepl Provider overlay" TRANSLUCENT=off "With Translucent Proxy overlay" UNIQUE=off "With attribute Uniqueness overlay" VALSORT=off "With Value Sorting overlay" SMBPWD=off "With Samba Password hashes overlay" DYNAMIC_BACKENDS=off "Build dynamic backends" ===> Use 'make config' to modify these settings
On Tue, Aug 11, 2009 at 6:38 AM, Dieter Kluenter dieter@dkluenter.dewrote:
Allan cr4z3d@gmail.com writes:
OpenLDAP is compiled with SASL support. I remember checking the box for
SASL
and if I cd /usr/ports/net/openldap24-server && make config I see that
SASL is
indeed marked. As far as checking for libgssapi, I ran the following to verify:
is libsasl really linked to slapd? 'ldd slapd' or whatever tool is supplied with freeBSD, will proof it.
frisbee# locate libgssapi /usr/lib/libgssapi.a /usr/lib/libgssapi.so /usr/lib/libgssapi.so.9 /usr/lib/libgssapi_krb5.a /usr/lib/libgssapi_krb5.so /usr/lib/libgssapi_krb5.so.9 /usr/local/lib/sasl2/libgssapiv2.a /usr/local/lib/sasl2/libgssapiv2.la /usr/local/lib/sasl2/libgssapiv2.so /usr/local/lib/sasl2/libgssapiv2.so.2
this looks similar to mine, and the output of ldapsearch is:
dieter@rubin:~> ldapsearch -x -LLL -ZZ -H ldap://localhost -b "" -s base supportedSaslMechanisms dn: supportedSASLMechanisms: PLAIN supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: EXTERNAL
I really suspect that libsasl is not linked to slapd.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E
Allan cr4z3d@gmail.com writes:
Seems like slapd is linked to gssapi and sasl. Are there simply command line options I'm missing to start up slapd?
frisbee# ldd /usr/local/libexec/slapd /usr/local/libexec/slapd: libldap_r-2.4.so.6 => /usr/local/lib/libldap_r-2.4.so.6 (0x2820b000) liblber-2.4.so.6 => /usr/local/lib/liblber-2.4.so.6 (0x28250000) libdb-4.6.so.0 => /usr/local/lib/libdb-4.6.so.0 (0x2825d000) libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28385000) libgssapi.so.9 => /usr/lib/libgssapi.so.9 (0x2839c000)
This seem to be different libraries than the sasl libraries, as below:
/usr/local/lib/sasl2/libgssapiv2.a /usr/local/lib/sasl2/libgssapiv2.la /usr/local/lib/sasl2/libgssapiv2.so /usr/local/lib/sasl2/libgssapiv2.so.2
-Dieter
Dieter Kluenter wrote:
Allancr4z3d@gmail.com writes:
Seems like slapd is linked to gssapi and sasl. Are there simply command line options I'm missing to start up slapd?
frisbee# ldd /usr/local/libexec/slapd /usr/local/libexec/slapd: libldap_r-2.4.so.6 => /usr/local/lib/libldap_r-2.4.so.6 (0x2820b000) liblber-2.4.so.6 => /usr/local/lib/liblber-2.4.so.6 (0x28250000) libdb-4.6.so.0 => /usr/local/lib/libdb-4.6.so.0 (0x2825d000) libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28385000) libgssapi.so.9 => /usr/lib/libgssapi.so.9 (0x2839c000)
This seem to be different libraries than the sasl libraries, as below:
/usr/local/lib/sasl2/libgssapiv2.a /usr/local/lib/sasl2/libgssapiv2.la /usr/local/lib/sasl2/libgssapiv2.so /usr/local/lib/sasl2/libgssapiv2.so.2
These usually are dynamically loaded by libsasl2, so they would never be directly linked into the slapd (or any other) binaries.
Most likely the gssapi plugin is not initializing itself, maybe because there is no krb5.conf file, or because there is no keytab with slapd's key inside, or the files are not readable by slapd, etc...
I have both those files, however, not sure if the permissions are set correctly:
frisbee# ls -l /etc/krb5* -rw-r--r-- 1 root wheel 128 Aug 7 14:09 /etc/krb5.conf -rw------- 1 root wheel 286 Aug 7 16:01 /etc/krb5.keytab
As far as the keytab files goes, I used this to create it:
frisbee# kadmin -l kadmin> ext ldap/frisbee.crazy.lan kadmin> exit
Just to clarify, ldap and kerberos are running on the same machine (frisbee.crazy.lan).
Also here's the contents of krb5.conf just to catch any errors you may find:
frisbee# cat /etc/krb5.conf [libdefaults] default_realm = CRAZY.LAN
[logging] kdc = 0/FILE:/var/log/kdc.log kdc = 1-/SYSLOG:INFO:USER default = STDERR
I have the proper DNS settings for kerberos, here's my BIND setup:
frisbee IN A 192.168.1.5 _kerberos._udp IN SRV 01 00 88 frisbee.crazy.lan. _kerberos._tcp IN SRV 01 00 88 frisbee.crazy.lan. _kpasswd._udp IN SRV 01 00 464 frisbee.crazy.lan. _kerberos-adm._tcp IN SRV 01 00 749 frisbee.crazy.lan. _kerberos IN TXT CRAZY.LAN
On Tue, Aug 11, 2009 at 4:42 PM, Howard Chu hyc@symas.com wrote:
Dieter Kluenter wrote:
Allancr4z3d@gmail.com writes:
Seems like slapd is linked to gssapi and sasl. Are there simply command
line options I'm missing to start up slapd?
frisbee# ldd /usr/local/libexec/slapd /usr/local/libexec/slapd: libldap_r-2.4.so.6 => /usr/local/lib/libldap_r-2.4.so.6 (0x2820b000) liblber-2.4.so.6 => /usr/local/lib/liblber-2.4.so.6 (0x28250000) libdb-4.6.so.0 => /usr/local/lib/libdb-4.6.so.0 (0x2825d000) libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x28385000) libgssapi.so.9 => /usr/lib/libgssapi.so.9 (0x2839c000)
This seem to be different libraries than the sasl libraries, as below:
/usr/local/lib/sasl2/libgssapiv2.a
/usr/local/lib/sasl2/libgssapiv2.la /usr/local/lib/sasl2/libgssapiv2.so /usr/local/lib/sasl2/libgssapiv2.so.2
These usually are dynamically loaded by libsasl2, so they would never be directly linked into the slapd (or any other) binaries.
Most likely the gssapi plugin is not initializing itself, maybe because there is no krb5.conf file, or because there is no keytab with slapd's key inside, or the files are not readable by slapd, etc...
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Allan cr4z3d@gmail.com writes:
I have both those files, however, not sure if the permissions are set correctly:
frisbee# ls -l /etc/krb5* -rw-r--r-- 1 root wheel 128 Aug 7 14:09 /etc/krb5.conf -rw------- 1 root wheel 286 Aug 7 16:01 /etc/krb5.keytab
Usually slapd is running as a unprivileged user, thus could not read krb5.keytab, but it may be not the case on your system.
-Dieter
I've made sure that krb5.keytab is own by the ldap group and group readable. I've come to the conlusion that this must have something to do with SASL since kinit works with ldap users. I'm unsure of where to go from here to continue trying to get this working.
On Wed, Aug 12, 2009 at 3:52 AM, Dieter Kluenter dieter@dkluenter.dewrote:
Allan cr4z3d@gmail.com writes:
I have both those files, however, not sure if the permissions are set correctly:
frisbee# ls -l /etc/krb5* -rw-r--r-- 1 root wheel 128 Aug 7 14:09 /etc/krb5.conf -rw------- 1 root wheel 286 Aug 7 16:01 /etc/krb5.keytab
Usually slapd is running as a unprivileged user, thus could not read krb5.keytab, but it may be not the case on your system.
-Dieter
-- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E
Allan cr4z3d@gmail.com writes:
I've made sure that krb5.keytab is own by the ldap group and group readable. I've come to the conlusion that this must have something to do with SASL since kinit works with ldap users. I'm unsure of where to go from here to continue trying to get this working.
It seems you have two sasl versions on your system. cyrus-sasl-2.x mechanisms are only homed in lib/sasl2
-Dieter
openldap-technical@openldap.org
-
Allan -
Dieter Kluenter -
Howard Chu