Hello, I've been reading around on OpenLDAP + Kerberos (FreeBSD 7.2) for authentication/authorization. I'm a bit confused on how to get it all working but I've gotten far enough that I can run getent passwd test.user and it pulls down the information from ldap (ran as root and non-root user). I can also successfully get a ticket with kinit from various users. Where I run into problems, is actually getting services to use GSSAPI. I am currently using nss_ldap and pam_ldap to authenticate during ssh login, if there's a better alternative please let me know.
Here's the setup I've got: Services -> FQDN -> IP ldap/kdc -> frisbee.crazy.lan -> 192.168.1.5 ssh -> cake.crazy.lan -> 192.168.1.6
Running kinit:
============================================================== cake# kinit ldapadm ldapadm@CRAZY.LAN's Password: kinit: NOTICE: ticket renewable lifetime is 1 week cake# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: ldapadm@CRAZY.LAN
Issued Expires Principal Aug 9 17:45:41 Aug 10 03:45:41 krbtgt/CRAZY.LAN@CRAZY.LAN ==============================================================
Here's what I run to authenticate with SSH:
============================================================== cr4z3d@Allan-PC:~$ ssh -v -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes test.user@cake.crazy.lan OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Applying options for * debug1: Connecting to cake.crazy.lan [192.168.1.6] port 22. debug1: Connection established. debug1: identity file /home/cr4z3d/.ssh/identity type -1 debug1: identity file /home/cr4z3d/.ssh/id_rsa type 1 debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048 debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048 debug1: identity file /home/cr4z3d/.ssh/id_dsa type 2 debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024 debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 FreeBSD-20080901 debug1: match: OpenSSH_5.1p1 FreeBSD-20080901 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'cake.crazy.lan' is known and matches the DSA host key. debug1: Found key in /home/cr4z3d/.ssh/known_hosts:47 debug1: ssh_dss_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received ==============================================================
I've tried different options in /usr/local/etc/ldap.conf for pam_ldap/nss_ldap (the conf files are symlinked). The first one is with SASL turned on and the second with out.
============================================================== #define the ldap server's fqdn host frisbee.crazy.lan
# define the base search pattern base dc=crazy,dc=lan
# define the uri uri ldap://frisbee.crazy.lan
# use starttls ssl start_tls
# use sasl for all authentications use_sasl on
# SASL authorization ID sasl_auth_id host/cake.crazy.lan
#check the server's cert tls_checkpeer yes
# full path to CA's cert tls_cacertfile /usr/local/etc/openldap/certs/cacert.pem
# enable debug #debug 9 ==============================================================
Here is the logs from the ldap server:
============================================================== Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 ACCEPT from IP= 192.168.1.6:56955 (IP=0.0.0.0:389) Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 STARTTLS Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 RESULT oid= err=0 text= Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 TLS established tls_ssf=256 ssf=256 Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 BIND dn="" method=163 Aug 9 17:47:21 frisbee slapd[86935]: SASL [conn=15] Failure: Couldn't find mech GSSAPI Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 RESULT tag=97 err=7 text=SASL(-4): no mechanism available: Couldn't find mech GSSAPI Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=2 UNBIND Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 closed ==============================================================
This is where I get a bit confused, it tells me that there's no mechanism for GSSAPI.. So I try changing to no SASL options in the configuration file:
============================================================== #define the ldap server's fqdn host frisbee.crazy.lan
# define the base search pattern base dc=crazy,dc=lan
# define the uri uri ldap://frisbee.crazy.lan
# use starttls ssl start_tls
#check the server's cert tls_checkpeer yes
# full path to CA's cert tls_cacertfile /usr/local/etc/openldap/certs/cacert.pem
# enable debug #debug 9 ==============================================================
This leads to the following in the ldap logs when trying to SSH in:
============================================================== Aug 9 18:16:57 frisbee slapd[86935]: conn=87 fd=11 ACCEPT from IP= 192.168.1.6:63817 (IP=0.0.0.0:389) Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 STARTTLS Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 RESULT oid= err=0 text= Aug 9 18:16:57 frisbee slapd[86935]: conn=87 fd=11 TLS established tls_ssf=256 ssf=256 Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=1 BIND dn="" method=128 Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=1 RESULT tag=97 err=0 text= Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SRCH base="dc=crazy,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test.user))" Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire Aug 9 18:16:57 frisbee slapd[86935]: <= bdb_equality_candidates: (uid) not indexed Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SRCH base="dc=crazy,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixGroup))" Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SRCH base="dc=crazy,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test.user))" Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire Aug 9 18:16:57 frisbee slapd[86935]: <= bdb_equality_candidates: (uid) not indexed Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= ==============================================================
It just keeps asking for my password and outputs the following in auth.log on the ssh server:
============================================================== Aug 9 18:36:42 cake sshd[63643]: pam_ldap: error trying to bind as user "uid=test.user,ou=people,dc=crazy,dc=lan" (Server is unwilling to perform) Aug 9 18:36:42 cake sshd[63640]: error: PAM: authentication error for test.user from 192.168.1.119 Aug 9 18:36:42 cake sshd[63644]: nss_ldap: reconnected to LDAP server ldap://frisbee.crazy.lan after 1 attempt ==============================================================
So while root I tried su test.user and was surprised to see that had worked. I was able to run commands as test.user souch as touch file, but if I tried whoami it just sat there until I broke the command with ctrl+c. On the ldap server I had the following in the logs:
============================================================== Aug 9 18:49:29 frisbee slapd[86935]: conn=150 fd=15 ACCEPT from IP= 192.168.1.6:60126 (IP=0.0.0.0:389) Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 STARTTLS Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 RESULT oid= err=0 text= Aug 9 18:49:29 frisbee slapd[86935]: conn=150 fd=15 closed (TLS negotiation failure) Aug 9 18:49:29 frisbee slapd[86935]: conn=151 fd=15 ACCEPT from IP= 192.168.1.6:60601 (IP=0.0.0.0:389) Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 STARTTLS Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 RESULT oid= err=0 text= Aug 9 18:49:29 frisbee slapd[86935]: conn=151 fd=15 closed (TLS negotiation failure) Aug 9 18:49:29 frisbee slapd[86935]: conn=152 fd=15 ACCEPT from IP= 192.168.1.6:50915 (IP=0.0.0.0:389) Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 STARTTLS Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 RESULT oid= err=0 text= Aug 9 18:49:29 frisbee slapd[86935]: conn=152 fd=15 closed (TLS negotiation failure) ==============================================================
There seems to be something wrong with the TLS negotiation, but I've ensured that the CN for my key is frisbee.crazy.lan. I Set the CA's cert CN to allanfeid.com (i own the domain)
At this point I'm unsure where to go to continue troubleshooting and getting this to work. I'm just trying to get a solid Single Sign-on solution using kerberos, ldap, and sasl for a learning experience. If there is a more appropriate way of acheiving this, I'm open to suggestions. Here's my ldap and slapd configuration files:
(server) frisbee# cat /usr/local/etc/openldap/ldap.conf ============================================================== TLS_CACERT /usr/local/etc/openldap/certs/CA/cacert.pem ==============================================================
(client) cake# cat /usr/local/etc/openldap/ldap.conf ============================================================== # path to CA's cert TLS_CACERT /usr/local/etc/openldap/certs/cacert.pem
# define base to our search BASE dc=crazy,dc=lan
# define uri to openldap URI ldap://frisbee.crazy.lan ==============================================================
(server) frisbee# cat /usr/local/etc/openldap/slapd.conf note: i removed a lot of comments to save space ============================================================== include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/duaconf.schema include /usr/local/etc/openldap/schema/dyngroup.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/krb5-kdc.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
# SSL/TLS cipher order preference TLSCipherSuite HIGH
# Full path to CA cert file TLSCACertificateFile /usr/local/etc/openldap/certs/CA/cacert.pem
# Full path to server's TLS cert TLSCertificateFile /usr/local/etc/openldap/certs/private/slapdcert.pem
# Full path to server's TLS key TLSCertificateKeyFile /usr/local/etc/openldap/certs/private/slapdkey.pem
# Password hashing mechanism password-hash {SSHA}
# log level loglevel 256
# refuse simple binds disallow bind_simple ####################################################################### # BDB database definitions #######################################################################
database bdb suffix "dc=crazy,dc=lan"
directory /var/db/openldap-data # Indices to maintain index default eq,pres index objectClass eq index cn,sn,givenname,mail eq,pres,sub
# ACL Definitions authz-policy from authz-regexp uid=(.*),cn=crazy.lan,cn=GSSAPI,cn=auth uid=$1,ou=people,dc=crazy,dc=lan
# SASL hostname sasl-host frisbee.crazy.lan
access to * by dn="uid=ldapadm,cn=gssapi,cn=auth" write by * read access to * by * read ==============================================================
Allan cr4z3d@gmail.com writes:
Hello, I've been reading around on OpenLDAP + Kerberos (FreeBSD 7.2) for authentication/authorization. I'm a bit confused on how to get it all working but I've gotten far enough that I can run getent passwd test.user and it pulls down the information from ldap (ran as root and non-root user). I can also successfully get a ticket with kinit from various users. Where I run into problems, is actually getting services to use GSSAPI. I am currently using nss_ldap and pam_ldap to authenticate during ssh login, if there's a better alternative please let me know.
Here's the setup I've got: Services -> FQDN -> IP ldap/kdc -> frisbee.crazy.lan -> 192.168.1.5 ssh -> cake.crazy.lan -> 192.168.1.6
[...]
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 ACCEPT from IP= 192.168.1.6:56955 (IP=0.0.0.0:389) Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 EXT oid= 1.3.6.1.4.1.1466.20037 Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 STARTTLS Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 RESULT oid= err=0 text= Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 TLS established tls_ssf= 256 ssf=256 Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 BIND dn="" method=163 Aug 9 17:47:21 frisbee slapd[86935]: SASL [conn=15] Failure: Couldn't find mech GSSAPI Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 RESULT tag=97 err=7 text= SASL(-4): no mechanism available: Couldn't find mech GSSAPI Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=2 UNBIND Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 closed ==============================================================
This is where I get a bit confused, it tells me that there's no mechanism for GSSAPI.. So I try changing to no SASL options in the configuration file:
What is the output of ldapsearch -x -H ldap://localhost -b "" -s base supportedSaslMechanisms
-Dieter
openldap-technical@openldap.org