[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authenticating against windows servers using SASL

To: openldap-software@OpenLDAP.org
Subject: Authenticating against windows servers using SASL
From: Simon Tennant <simon@imaginator.com>
Date: Thu, 27 Jan 2005 14:28:28 +0100
Content-disposition: inline
User-agent: Mutt/1.5.6+20040907i

At the moment I am work on an LDAP proof of concept.  This is on
OpenLDAP Version: 2.1.30-3 running on Debian unstable.

Since I am unable to get at the original user passwords, I would like to
compare them against our Windows infrastructure which does have access
to them.  Something like:

	Each ldap record has a "userPassword: {sasl}st81418@internal.domain.org
	LDAP server -> SASL libraries -> Kerberos -> Windows 2003 servers

I am having some problems with Kerberos, using the SASL libraries to
authenticate against Active Directory.

Here's what works:

kinit: reads /etc/krb5.conf fine and will get a ticket from Windows.
klist: shows the ticket

and what fails:

testsaslauthd -u mywindowsusername -p mypasswordhere
0: NO "authentication failed"

When I do a tcpdump of the testsaslauthd, I receive a Kerberos error 7: KRB5KDC_ERR_S_PRINCIPLE_UNKNOWN 

Do I need to setup anything on the windows servers to be able to compare
usernames and passwords against them?

Here's some of the details about my config if anyone can help.

saslauthd is running with:

	/usr/sbin/saslauthd -r -a kerberos5

/usr/lib/sasl2/slapd.conf

	pwcheck_method:saslauthd
	saslauthd_path:/var/run/saslauthd/mux

/etc/krb5.conf

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 ticket_lifetime = 24000
 default_realm = INTERNAL.DOMAIN.ORG
 dns_lookup_realm = false
 dns_lookup_kdc = false
 default_tkt_enctypes = des-cbc-md5
 default_tgs_enctypes = des-cbc-md5
 forwardable = true

[realms]
 INTERNAL.DOMAIN.ORG = {
  kdc = gvw001.internal.domain.org:88
  admin_server = gvw001.internal.domain.org:749
  kpasswd_server = gvw001.internal.domain.org:464
  default_domain = internal.domain.org
  master_key_type = des3-hmac-sha1
  supported_enctypes = arcfour-hmac:normal arcfour-hmac:norealm arcfour-hmac:onlyrealm des3-hmac-sha1:normal des3-hmac-sha1:norealm des3-hmac-sha1:onlyrealm
  default_principal_flags = +preauth, +tgt-based
}

[domain_realm]
 .domain.org = INTERNAL.DOMAIN.ORG
 .internal.domain.org = INTERNAL.DOMAIN.ORG
 .somethingelse.internal.domain.org = INTERNAL.DOMAIN.ORG

[kdc]
 profile = /etc/krb5kdc/kdc.conf

[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

Simon.

-- 
Simon Tennant ________________ http://imaginator.com/~simon/contact

Attachment: signature.asc
Description: Digital signature

Follow-Ups:
- Re: Authenticating against windows servers using SASL
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: search by postalAddress
Next by Date: SSL redundancy through an F5
Index(es):
- Chronological
- Thread