[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite
- To: openldap-technical@openldap.org
- Subject: OpenLDAP + Kerberos on FreeBSD 7.2, close to working but not quite
- From: Allan <cr4z3d@gmail.com>
- Date: Sun, 9 Aug 2009 20:07:26 -0400
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:message-id :subject:to:content-type; bh=eWe5fED7yHE4QAgqSbcadtHzu3kQMSSAHIewAaayiZ4=; b=T4c1O/0K6TOexmf1DnvyVdHN4qz1E8jBm1GztbFSYy6ZAnkmVHnbvAxBITtNbd2oRq Fw363eQduPdMHooB5Q3nurxsHdxBciaPe5Xrl+vyP6Jp71B58EfmRzWhjELQlxhN+g21 LJ8o9bpXwP5OjH/Myq4BzcYlvpnRw1c/HQ1Xc=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=xLCsY/kwFJtbpyEYI6RpteIoqU0rij17jLClQN2mw7g5YrE6YkQO/KWO2An0clqe6M SIf1AY+C3KKfdT8VnrQwOrOnISV9d0zY90/cXtK9/DYmNJGwtao4qpxOrZzCFjqtdrNE sVtzRvoLc9gzMzIviyF7Fo8JWOnn5cRt8jaH4=
Hello, I've been reading around on OpenLDAP + Kerberos (FreeBSD 7.2) for authentication/authorization. I'm a bit confused on how to get it all working but I've gotten far enough that I can run getent passwd test.user and it pulls down the information from ldap (ran as root and non-root user). I can also successfully get a ticket with kinit from various users. Where I run into problems, is actually getting services to use GSSAPI. I am currently using nss_ldap and pam_ldap to authenticate during ssh login, if there's a better alternative please let me know.
Here's the setup I've got:
Services -> FQDN -> IP
ldap/kdc -> frisbee.crazy.lan -> 192.168.1.5
ssh -> cake.crazy.lan -> 192.168.1.6
Running kinit:
==============================================================
cake# kinit ldapadm
ldapadm@CRAZY.LAN's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
cake# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ldapadm@CRAZY.LAN
Issued Expires Principal
Aug 9 17:45:41 Aug 10 03:45:41 krbtgt/CRAZY.LAN@CRAZY.LAN
==============================================================
Here's what I run to authenticate with SSH:
==============================================================
cr4z3d@Allan-PC:~$ ssh -v -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes test.user@cake.crazy.lan
OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to cake.crazy.lan [192.168.1.6] port 22.
debug1: Connection established.
debug1: identity file /home/cr4z3d/.ssh/identity type -1
debug1: identity file /home/cr4z3d/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/cr4z3d/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 FreeBSD-20080901
debug1: match: OpenSSH_5.1p1 FreeBSD-20080901 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'cake.crazy.lan' is known and matches the DSA host key.
debug1: Found key in /home/cr4z3d/.ssh/known_hosts:47
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
==============================================================
I've tried different options in /usr/local/etc/ldap.conf for pam_ldap/nss_ldap (the conf files are symlinked). The first one is with SASL turned on and the second with out.
==============================================================
#define the ldap server's fqdn
host frisbee.crazy.lan
# define the base search pattern
base dc=crazy,dc=lan
# define the uri
uri ldap://frisbee.crazy.lan
# use starttls
ssl start_tls
# use sasl for all authentications
use_sasl on
# SASL authorization ID
sasl_auth_id host/cake.crazy.lan
#check the server's cert
tls_checkpeer yes
# full path to CA's cert
tls_cacertfile /usr/local/etc/openldap/certs/cacert.pem
# enable debug
#debug 9
==============================================================
Here is the logs from the ldap server:
==============================================================
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 ACCEPT from IP=192.168.1.6:56955 (IP=0.0.0.0:389)
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 STARTTLS
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=0 RESULT oid= err=0 text=
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 TLS established tls_ssf=256 ssf=256
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 BIND dn="" method=163
Aug 9 17:47:21 frisbee slapd[86935]: SASL [conn=15] Failure: Couldn't find mech GSSAPI
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=1 RESULT tag=97 err=7 text=SASL(-4): no mechanism available: Couldn't find mech GSSAPI
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 op=2 UNBIND
Aug 9 17:47:21 frisbee slapd[86935]: conn=15 fd=11 closed
==============================================================
This is where I get a bit confused, it tells me that there's no mechanism for GSSAPI.. So I try changing to no SASL options in the configuration file:
==============================================================
#define the ldap server's fqdn
host frisbee.crazy.lan
# define the base search pattern
base dc=crazy,dc=lan
# define the uri
uri ldap://frisbee.crazy.lan
# use starttls
ssl start_tls
#check the server's cert
tls_checkpeer yes
# full path to CA's cert
tls_cacertfile /usr/local/etc/openldap/certs/cacert.pem
# enable debug
#debug 9
==============================================================
This leads to the following in the ldap logs when trying to SSH in:
==============================================================
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 fd=11 ACCEPT from IP=192.168.1.6:63817 (IP=0.0.0.0:389)
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 STARTTLS
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=0 RESULT oid= err=0 text=
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 fd=11 TLS established tls_ssf=256 ssf=256
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=1 BIND dn="" method=128
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=1 RESULT tag=97 err=0 text=
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SRCH base="dc=crazy,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test.user))"
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
Aug 9 18:16:57 frisbee slapd[86935]: <= bdb_equality_candidates: (uid) not indexed
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SRCH base="dc=crazy,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixGroup))"
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SRCH attr=cn userPassword memberUid uniqueMember gidNumber
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SRCH base="dc=crazy,dc=lan" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=test.user))"
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass shadowLastChange shadowMax shadowExpire
Aug 9 18:16:57 frisbee slapd[86935]: <= bdb_equality_candidates: (uid) not indexed
Aug 9 18:16:57 frisbee slapd[86935]: conn=87 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text=
==============================================================
It just keeps asking for my password and outputs the following in auth.log on the ssh server:
==============================================================
Aug 9 18:36:42 cake sshd[63643]: pam_ldap: error trying to bind as user "uid=test.user,ou=people,dc=crazy,dc=lan" (Server is unwilling to perform)
Aug 9 18:36:42 cake sshd[63640]: error: PAM: authentication error for test.user from 192.168.1.119
Aug 9 18:36:42 cake sshd[63644]: nss_ldap: reconnected to LDAP server ldap://frisbee.crazy.lan after 1 attempt
==============================================================
So while root I tried su test.user and was surprised to see that had worked. I was able to run commands as test.user souch as touch file, but if I tried whoami it just sat there until I broke the command with ctrl+c. On the ldap server I had the following in the logs:
==============================================================
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 fd=15 ACCEPT from IP=192.168.1.6:60126 (IP=0.0.0.0:389)
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 STARTTLS
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 op=0 RESULT oid= err=0 text=
Aug 9 18:49:29 frisbee slapd[86935]: conn=150 fd=15 closed (TLS negotiation failure)
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 fd=15 ACCEPT from IP=192.168.1.6:60601 (IP=0.0.0.0:389)
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 STARTTLS
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 op=0 RESULT oid= err=0 text=
Aug 9 18:49:29 frisbee slapd[86935]: conn=151 fd=15 closed (TLS negotiation failure)
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 fd=15 ACCEPT from IP=192.168.1.6:50915 (IP=0.0.0.0:389)
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 STARTTLS
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 op=0 RESULT oid= err=0 text=
Aug 9 18:49:29 frisbee slapd[86935]: conn=152 fd=15 closed (TLS negotiation failure)
==============================================================
There seems to be something wrong with the TLS negotiation, but I've ensured that the CN for my key is frisbee.crazy.lan. I Set the CA's cert CN to allanfeid.com (i own the domain)
At this point I'm unsure where to go to continue troubleshooting and getting this to work. I'm just trying to get a solid Single Sign-on solution using kerberos, ldap, and sasl for a learning experience. If there is a more appropriate way of acheiving this, I'm open to suggestions. Here's my ldap and slapd configuration files:
(server) frisbee# cat /usr/local/etc/openldap/ldap.conf
==============================================================
TLS_CACERT /usr/local/etc/openldap/certs/CA/cacert.pem
==============================================================
(client) cake# cat /usr/local/etc/openldap/ldap.conf
==============================================================
# path to CA's cert
TLS_CACERT /usr/local/etc/openldap/certs/cacert.pem
# define base to our search
BASE dc=crazy,dc=lan
# define uri to openldap
URI ldap://frisbee.crazy.lan
==============================================================
(server) frisbee# cat /usr/local/etc/openldap/slapd.conf
note: i removed a lot of comments to save space
==============================================================
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/duaconf.schema
include /usr/local/etc/openldap/schema/dyngroup.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/krb5-kdc.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# SSL/TLS cipher order preference
TLSCipherSuite HIGH
# Full path to CA cert file
TLSCACertificateFile /usr/local/etc/openldap/certs/CA/cacert.pem
# Full path to server's TLS cert
TLSCertificateFile /usr/local/etc/openldap/certs/private/slapdcert.pem
# Full path to server's TLS key
TLSCertificateKeyFile /usr/local/etc/openldap/certs/private/slapdkey.pem
# Password hashing mechanism
password-hash {SSHA}
# log level
loglevel 256
# refuse simple binds
disallow bind_simple
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=crazy,dc=lan"
directory /var/db/openldap-data
# Indices to maintain
index default eq,pres
index objectClass eq
index cn,sn,givenname,mail eq,pres,sub
# ACL Definitions
authz-policy from
authz-regexp
uid=(.*),cn=crazy.lan,cn=GSSAPI,cn=auth
uid=$1,ou=people,dc=crazy,dc=lan
# SASL hostname
sasl-host frisbee.crazy.lan
access to *
by dn="uid=ldapadm,cn=gssapi,cn=auth" write
by * read
access to *
by * read
==============================================================