7:34 a.m.
Hello to all,
I'm trying to get GSSAPI authentication running with the symas-packages.
I generated a ldap.keytab file and it's readable for the ldap-user
running the slapd. With the Debian-packages I ad:
---------
export KRB5_KTNAME="/path/to/ldap.keytab"
---------
I don't want to use the system keytab /etc/krb5.keytab. How do I tell
slapd from the symas-packages to use my service-keytab?
I try to add to my /etc/default/symas-openldap:
---------
KRB5_KTNAME="/path/to/ldap.keytab
---------
but it's not working.
Stefan
8:05 a.m.
17.12.2021 17:34, Stefan Kania пишет:
Hello to all,
I'm trying to get GSSAPI authentication running with the symas-packages.
I generated a ldap.keytab file and it's readable for the ldap-user
running the slapd. With the Debian-packages I ad:
---------
export KRB5_KTNAME="/path/to/ldap.keytab"
---------
I don't want to use the system keytab /etc/krb5.keytab. How do I tell
slapd from the symas-packages to use my service-keytab?
I try to add to my /etc/default/symas-openldap:
---------
KRB5_KTNAME="/path/to/ldap.keytab
---------
but it's not working.
Stefan
Hello.
First of all you should determine, if ENV "KRB5_KTNAME" is using by
running process. Try this to extract all of ENVs
strings –a /proc/<pid_of_the_process_ldap>/environ
If you cann't see KRB5_KTNAME, you can try to add
export KRB5_KTNAME="/path/to/ldap.keytab"
to startup script
If you see KRB5_KTNAME, thats means symas-openldap doesn't use KRB5_KTNAME.
10:28 p.m.
Am Fri, 17 Dec 2021 16:34:41 +0100
schrieb Stefan Kania <stefan(a)kania-online.de>:
Hello to all,
I'm trying to get GSSAPI authentication running with the
symas-packages. I generated a ldap.keytab file and it's readable for
the ldap-user running the slapd. With the Debian-packages I ad:
---------
export KRB5_KTNAME="/path/to/ldap.keytab"
---------
I don't want to use the system keytab /etc/krb5.keytab. How do I tell
slapd from the symas-packages to use my service-keytab?
I try to add to my /etc/default/symas-openldap:
---------
KRB5_KTNAME="/path/to/ldap.keytab
---------
but it's not working.
/etc/sasl2/slapd.conf
mech_list: gssapi digest-md5 cram-md5 external
keytab: /etc/openldap/ldap.keytab
/etc/ldap.conf
KRB5_KTNAME=/etc/openldap/krb5.keytab
SASL_MECH GSSAPI
SASL_REALM My.SASL.REALM
-Dieter
--
Dieter Klünter | Systemberatungslapd
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
9:06 a.m.
Hi Dieter
Am 18.12.21 um 07:28 schrieb Dieter Klünter:
/etc/sasl2/slapd.conf
mech_list: gssapi digest-md5 cram-md5 external
keytab: /etc/openldap/ldap.keytab
/etc/ldap.conf
KRB5_KTNAME=/etc/openldap/krb5.keytab
SASL_MECH GSSAPI
SASL_REALM My.SASL.REALM
The configuration is working but for the symas-packages the files must
be in /opt/symas/etc/sasl2 and /opt/symas/etc.
But now the ldap server is GSSAPI missing:
----------
root@ldap01:~# ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Authentication method not supported (7)
additional info: SASL(-4): no mechanism available: Couldn't find
mech GSSAPI
---------
The package "libsasl2-modules-gssapi-mit", "libgssapi-krb5-2" and
"symas-cyrus-sasl-lib" are installed but:
---------
root@ldap01:~# ldapsearch -x -H ldapi:/// -b "" -LLL -s base
-supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
---------
Is not showing GSSAPI as valid mechanism. As I said, it's the first time
I try the symas-packages with kerberos: Do I miss something else?
If I do the same on Debian10 with the Debian OpenLDAP-packages I get:
---------------
root@provider-stat:~# ldapsearch -x -H ldapi:/// -b "" -LLL -s base
supportedSASLMechanisms
dn:
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: SCRAM-SHA-256
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
---------------
Stefan
5:14 a.m.
Am Sat, 18 Dec 2021 07:28:16 +0100
schrieb Dieter Klünter <dieter(a)dkluenter.de>:
Am Fri, 17 Dec 2021 16:34:41 +0100
schrieb Stefan Kania <stefan(a)kania-online.de>:
> Hello to all,
>
> I'm trying to get GSSAPI authentication running with the
> symas-packages. I generated a ldap.keytab file and it's readable for
> the ldap-user running the slapd. With the Debian-packages I ad:
[...]
/etc/sasl2/slapd.conf
mech_list: gssapi digest-md5 cram-md5 external
keytab: /etc/openldap/ldap.keytab
/etc/ldap.conf
KRB5_KTNAME=/etc/openldap/krb5.keytab
SASL_MECH GSSAPI
SASL_REALM My.SASL.REALM
I remeber that I did in the old days some succesful debugging with
sasl-server and sasl-client.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
10:59 a.m.
Am 21.12.21 um 14:14 schrieb Dieter Klünter:
Am Sat, 18 Dec 2021 07:28:16 +0100
schrieb Dieter Klünter <dieter(a)dkluenter.de>:
> Am Fri, 17 Dec 2021 16:34:41 +0100
> schrieb Stefan Kania <stefan(a)kania-online.de>:
>
>> Hello to all,
>>
>> I'm trying to get GSSAPI authentication running with the
>> symas-packages. I generated a ldap.keytab file and it's readable for
>> the ldap-user running the slapd. With the Debian-packages I ad:
> [...]
> /etc/sasl2/slapd.conf
> mech_list: gssapi digest-md5 cram-md5 external
> keytab: /etc/openldap/ldap.keytab
>
> /etc/ldap.conf
> KRB5_KTNAME=/etc/openldap/krb5.keytab
> SASL_MECH GSSAPI
> SASL_REALM My.SASL.REALM
I remeber that I did in the old days some succesful debugging with
sasl-server and sasl-client.
I will test it, but I think that GSSAPI is not compiled in to thr symas
packages.
Stefan
-Dieter
--
Stefan Kania
Landweg 13
25693 St. Michaelisdonn
Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html
1:19 p.m.
On 12/21/21 19:59, Stefan Kania wrote:
but I think that GSSAPI is not compiled in to thr symas packages.
Not true.
It is linked against heimdal libs from package symas-heimdal-libs:
# ldd /opt/symas/lib/slapd
[..]
libgssapi.so.3 => /opt/symas/lib/libgssapi.so.3 (0x00007f6d63716000)
libkrb5.so.26 => /opt/symas/lib/libkrb5.so.26 (0x00007f6d6347e000)
Ciao, Michael.
1:31 a.m.
Am 21.12.21 um 22:19 schrieb Michael Ströder:
# ldd /opt/symas/lib/slapd
[..]
libgssapi.so.3 => /opt/symas/lib/libgssapi.so.3 (0x00007f6d63716000)
libkrb5.so.26 => /opt/symas/lib/libkrb5.so.26 (0x00007f6d6347e000)
I
don't know which packages you are using, but can't confirm that:
---------------------
root@ldap01:~# dpkg -l | grep symas
ii symas-cyrus-sasl-lib 2.1.27-4bullseye1 amd64
Cyrus-SASL Libraries
ii symas-heimdal-lib 7.7.0-5bullseye1 amd64
Heimdal Libraries
ii symas-libargon2-lib 20190702-2bullseye1 amd64
libargon2 libraries
ii symas-libevent-lib 2.1.12-stable-2bullseye1 amd64
libevent Libraries
ii symas-openldap-clients 2.6.0-5bullseye1 amd64
OpenLDAP Client Binaries
ii symas-openldap-lib 2.6.0-5bullseye1 amd64
OpenLDAP Libraries
ii symas-openldap-server 2.6.0-5bullseye1 amd64
OpenLDAP Server Binaries
ii symas-openssl-lib 1.1.1l-2bullseye1 amd64
OpenSSL Libraries
-------------------------
I can find /opt/symas/lib/libgssapi.so.3 but as you can see, in my
"ldd" output, it's not used.
---------------------
root@ldap01:~# ldd /opt/symas/lib/slapd
linux-vdso.so.1 (0x00007fff036e0000)
libldap.so.2 => /opt/symas/lib/libldap.so.2 (0x00007f53191c7000)
liblber.so.2 => /opt/symas/lib/liblber.so.2 (0x00007f53191b6000)
libltdl.so.7 => /lib/x86_64-linux-gnu/libltdl.so.7
(0x00007f53191a7000)
libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0
(0x00007f53190f2000)
libsasl2.so.3 => /opt/symas/lib/libsasl2.so.3 (0x00007f53190d5000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007f531909a000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f5319076000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5318eb1000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2
(0x00007f5318e97000)
libssl.so.1.1 => /opt/symas/lib/libssl.so.1.1 (0x00007f5318e06000)
libcrypto.so.1.1 => /opt/symas/lib/libcrypto.so.1.1
(0x00007f5318b2d000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f5318b27000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007f5318b1a000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5
(0x00007f5318af2000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1
(0x00007f5318a17000)
liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1
(0x00007f53189f4000)
libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20
(0x00007f53188d4000)
/lib64/ld-linux-x86-64.so.2 (0x00007f53193de000)
libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0
(0x00007f53188ac000)
--------------------------
So no gssapi included
My os is:
-------------
root@ldap01:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
-------------
either it's still a configuration problem, or it's missing. If it's a
configuration problem, how can I fix it?
Stefan
1:51 a.m.
On 12/22/21 10:31, Stefan Kania wrote:
Am 21.12.21 um 22:19 schrieb Michael Ströder:
>
> # ldd /opt/symas/lib/slapd
> [..]
> libgssapi.so.3 => /opt/symas/lib/libgssapi.so.3 (0x00007f6d63716000)
> libkrb5.so.26 => /opt/symas/lib/libkrb5.so.26 (0x00007f6d6347e000)
I don't know which packages you are using, but can't confirm that:
Ah, I'm using the Symas packages on RHEL8-alike systems. I don't have
test systems around with the Debian packages.
Ciao, Michael.
2:38 a.m.
Am 22.12.21 um 10:31 schrieb Stefan Kania:
either it's still a configuration problem, or it's missing.
If it's a
configuration problem, how can I fix it?
I now built OpenLDAP from source with this options:
--------------
./configure --enable-argon2 --with-argon2=libargon2 --with-cyrus-sasl
--with-tls=openssl --enable-overlays=mod --enable-backends=mod
--disable-perl --disable-ndb --enable-crypt --enable-modules
--enable-dynamic --enable-syslog --enable-debug --en able-local
--enable-spasswd --disable-sql --prefix=/opt/openldap-current
--with-sasl=yes
--------------
Still no gssapi :-(. Did I miss something here?
--------------
root@ldap-p01:~# ldapsearch -x -H ldapi:/// -b "" -LLL -s base
supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
root@ldap-p01:~# ldd /opt/openldap-current/libexec/slapd
linux-vdso.so.1 (0x00007ffc23985000)
libldap.so.2 => /opt/openldap-current/lib/libldap.so.2
(0x00007f160e666000)
liblber.so.2 => /opt/openldap-current/lib/liblber.so.2
(0x00007f160e657000)
libltdl.so.7 => /lib/x86_64-linux-gnu/libltdl.so.7
(0x00007f160e646000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f160e641000)
libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2
(0x00007f160e624000)
libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1
(0x00007f160e592000)
libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1
(0x00007f160e2a7000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x00007f160e26d000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2
(0x00007f160e253000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f160e232000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f160e071000)
/lib64/ld-linux-x86-64.so.2 (0x00007f160e872000)
--------------
As long as I can't see "supportedSASLMechanisms: GSSAPI" I can't get
the
kerberos-authentication working.
3:49 a.m.
Am Wed, 22 Dec 2021 11:38:32 +0100
schrieb Stefan Kania <stefan(a)kania-online.de>:
Am 22.12.21 um 10:31 schrieb Stefan Kania:
> either it's still a configuration problem, or it's missing. If it's
> a configuration problem, how can I fix it?
I now built OpenLDAP from source with this options:
--------------
./configure --enable-argon2 --with-argon2=libargon2 --with-cyrus-sasl
--with-tls=openssl --enable-overlays=mod --enable-backends=mod
--disable-perl --disable-ndb --enable-crypt --enable-modules
--enable-dynamic --enable-syslog --enable-debug --en able-local
--enable-spasswd --disable-sql --prefix=/opt/openldap-current
--with-sasl=yes
--------------
Still no gssapi :-(. Did I miss something here?
[...]
You probabely missed the header files, check /usr/include/gssapi/
and /usr/include/krb5/
and probabely some more.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
4:01 a.m.
Am Wed, 22 Dec 2021 12:49:54 +0100
schrieb Dieter Klünter <dieter(a)dkluenter.de>:
Am Wed, 22 Dec 2021 11:38:32 +0100
schrieb Stefan Kania <stefan(a)kania-online.de>:
> Am 22.12.21 um 10:31 schrieb Stefan Kania:
> > either it's still a configuration problem, or it's missing. If
> > it's a configuration problem, how can I fix it?
>
> I now built OpenLDAP from source with this options:
> --------------
> ./configure --enable-argon2 --with-argon2=libargon2
> --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
> --enable-backends=mod --disable-perl --disable-ndb --enable-crypt
> --enable-modules --enable-dynamic --enable-syslog --enable-debug
> --en able-local --enable-spasswd --disable-sql
> --prefix=/opt/openldap-current --with-sasl=yes
> --------------
> Still no gssapi :-(. Did I miss something here?
[...]
You probabely missed the header files, check /usr/include/gssapi/
and /usr/include/krb5/
and probabely some more.
and check the libraries in /usr/lib64/sasl2/
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
6:01 a.m.
Am 22.12.21 um 13:01 schrieb Dieter Klünter:
You probabely missed the header files, check /usr/include/gssapi/
and /usr/include/krb5/
and probabely some more.
and check the libraries in /usr/lib64/sasl2/
I installed libkrb5-dev krb5-multidev libsasl2-dev
I found:
root@ldap25-p02:/opt# ls /usr/include/gssapi/
gssapi_ext.h gssapi_generic.h gssapi.h gssapi_krb5.h mechglue.h
root@ldap25-p02:/opt# ls /usr/include/krb5/
ccselect_plugin.h certauth_plugin.h clpreauth_plugin.h
hostrealm_plugin.h kadm5_auth_plugin.h kadm5_hook_plugin.h
kdcpolicy_plugin.h kdcpreauth_plugin.h krb5.h localauth_plugin.h
locate_plugin.h plugin.h preauth_plugin.h pwqual_plugin.h
root@ldap25-p02:/opt# ls /usr/include/sasl/
hmac-md5.h md5global.h md5.h prop.h sasl.h saslplug.h saslutil.h
Recompiled openldap and now I finaly got:
root@ldap25-p02:/opt# ldapsearch -x -H ldapi:/// -b "" -LLL -s base
supportedSASLMechanisms
dn:
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: SCRAM-SHA-256
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
But still GSSAPI is not showing up on my hosts with the symas-packages
installed.
I checked the installed sasl2 and krb5 packages of the self compiled
system and the system with the symas packages. The lists of the packages
are identically.
4:18 a.m.
Am Wed, 22 Dec 2021 12:49:54 +0100
schrieb Dieter Klünter <dieter(a)dkluenter.de>:
Am Wed, 22 Dec 2021 11:38:32 +0100
schrieb Stefan Kania <stefan(a)kania-online.de>:
> Am 22.12.21 um 10:31 schrieb Stefan Kania:
> > either it's still a configuration problem, or it's missing. If
> > it's a configuration problem, how can I fix it?
>
> I now built OpenLDAP from source with this options:
> --------------
> ./configure --enable-argon2 --with-argon2=libargon2
> --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
> --enable-backends=mod --disable-perl --disable-ndb --enable-crypt
> --enable-modules --enable-dynamic --enable-syslog --enable-debug
> --en able-local --enable-spasswd --disable-sql
> --prefix=/opt/openldap-current --with-sasl=yes
> --------------
> Still no gssapi :-(. Did I miss something here?
[...]
You probabely missed the header files, check /usr/include/gssapi/
and /usr/include/krb5/
and probabely some more.
Sorry, just an other hint. Check the sources files
openldap/include/ldap.h
/* OpenLDAP SASL options */
[...]
/* OpenLDAP GSSAPI options */
#define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT 0x6200
#define LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL 0x6201
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
5:27 a.m.
Am 22.12.21 um 13:18 schrieb Dieter Klünter:
/* OpenLDAP SASL options */
[...]
/* OpenLDAP GSSAPI options */
#define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT 0x6200
#define LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL 0x6201
--
I did:
root@ldap25-p02:/opt/openldap-2.6.0# grep -ir X_GSSAPI *
and got... nothing
2:45 a.m.
Am Wed, 22 Dec 2021 14:27:37 +0100
schrieb Stefan Kania <stefan(a)kania-online.de>:
Am 22.12.21 um 13:18 schrieb Dieter Klünter:
> /* OpenLDAP SASL options */
> [...]
> /* OpenLDAP GSSAPI options */
> #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT 0x6200
> #define LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL 0x6201
Did you simply test by ldapwhoami(1) with all available Mechanism?
ldapwhoami -Y gssapi -U dieter -H ldapi:///
SASL/GSSAPI authentication started
SASL username: dieter@MyREALM
SASL SSF: 256
SASL data security layer installed.
dn: ....
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
8:58 a.m.
--On Tuesday, December 21, 2021 10:19 PM +0100 Michael Ströder
<michael(a)stroeder.com> wrote:
On 12/21/21 19:59, Stefan Kania wrote:
> but I think that GSSAPI is not compiled in to thr symas packages.
Not true.
It is linked against heimdal libs from package symas-heimdal-libs:
# ldd /opt/symas/lib/slapd
[..]
libgssapi.so.3 => /opt/symas/lib/libgssapi.so.3 (0x00007f6d63716000)
libkrb5.so.26 => /opt/symas/lib/libkrb5.so.26 (0x00007f6d6347e000)
An ldd of slapd never tells you whether or not it has GSSAPI support. What
mechansisms SASL supports are limited by whatever modules are in
/opt/symas/lib/sasl2 (for Symas OpenLDAP builds). Similar idea for OS
builds, etc, just with their paths instead.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1:45 a.m.
New subject: Antw: [EXT] Re: symas openldap-packages and kerberos
>> Dieter Klünter <dieter(a)dkluenter.de> schrieb am
18.12.2021 um 07:28 in
Nachricht <20211218072816.769b483e(a)pink.fritz.box>:
Am Fri, 17 Dec 2021 16:34:41 +0100
schrieb Stefan Kania <stefan(a)kania-online.de>:
> Hello to all,
>
> I'm trying to get GSSAPI authentication running with the
> symas-packages. I generated a ldap.keytab file and it's readable for
> the ldap-user running the slapd. With the Debian-packages I ad:
> ---------
> export KRB5_KTNAME="/path/to/ldap.keytab"
> ---------
>
> I don't want to use the system keytab /etc/krb5.keytab. How do I tell
> slapd from the symas-packages to use my service-keytab?
>
> I try to add to my /etc/default/symas-openldap:
> ---------
> KRB5_KTNAME="/path/to/ldap.keytab
> ---------
> but it's not working.
/etc/sasl2/slapd.conf
mech_list: gssapi digest-md5 cram-md5 external
keytab: /etc/openldap/ldap.keytab
/etc/ldap.conf
KRB5_KTNAME=/etc/openldap/krb5.keytab
SASL_MECH GSSAPI
SASL_REALM My.SASL.REALM
Dieter,
I wonder: Did you "just know", or is that documented somewhere? If the latter,
maybe also add where you found those pearls of wisdom.
Regards,
Ulrich
-Dieter
--
Dieter Klünter | Systemberatungslapd
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
8:51 a.m.
New subject: Antw: [EXT] Re: symas openldap-packages and kerberos
On 12/27/21 10:45, Ulrich Windl wrote:
Dieter Klünter wrote:
> /etc/sasl2/slapd.conf
> mech_list: gssapi digest-md5 cram-md5 external
> keytab: /etc/openldap/ldap.keytab
>
> /etc/ldap.conf
> KRB5_KTNAME=/etc/openldap/krb5.keytab
> SASL_MECH GSSAPI
> SASL_REALM My.SASL.REALM
I wonder: Did you "just know", or is that documented somewhere? If the latter,
maybe also add where you found those pearls of wisdom.
These information is spread over Kerberos, Cyrus-SASL and OpenLDAP docs.
Ciao, Michael.
1:27 a.m.
New subject: symas openldap-packages and kerberos [solved]
Thank's for all the help, after all it's running. I thing it has
something to do with my Ansible-script an the order I installed the
packages and set up the configuration. I reinstalled all servers from
scratch and now it looks like this:
--------------
root@ldap01:~# ldapsearch -x -H ldapi:/// -b "" -LLL -s base
supportedSASLMechanisms
dn:
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: SCRAM-SHA-256
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: OTP
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
--------------
Again, thank you all for the help, several tips got me to the point.
Stefan
Am 17.12.21 um 16:34 schrieb Stefan Kania:
Hello to all,
I'm trying to get GSSAPI authentication running with the symas-packages.
I generated a ldap.keytab file and it's readable for the ldap-user
running the slapd. With the Debian-packages I ad:
---------
export KRB5_KTNAME="/path/to/ldap.keytab"
---------
I don't want to use the system keytab /etc/krb5.keytab. How do I tell
slapd from the symas-packages to use my service-keytab?
I try to add to my /etc/default/symas-openldap:
---------
KRB5_KTNAME="/path/to/ldap.keytab
---------
but it's not working.
Stefan
628
days inactive
645
days old
openldap-technical@openldap.org
19 comments
6 participants
participants (6)
-
Dieter Klünter -
Michael Ströder -
Quanah Gibson-Mount -
skeletor -
Stefan Kania -
Ulrich Windl