[Date Prev][Date Next]
Re: Authenticate to ldap using Kerberos
On 08/09/10 22:53 +0800, Wouter van Marle wrote:
I have been fighting the whole day already for something that I think
is quite simple but I just can't get it to work: have slapd
authenticate users against kerberos. Following many tutorials, trying
many things, I give up on that and ask for your help.
System: Debian Lenny.
- workstation logins over the network authenticate against kerberos
- credentials from LDAP
- postfix has its alias database etc in LDAP, as are the groups and
userIDs and everything - helps keeping uids the same on the
workstations. Essential for NFS.
- anything using pam will be authenticated against kerberos,
including imap, postfix, etc.
Except LDAP. Then slapd authenticates by itself against the password
stored there. And that's not what I want. There should be no
passwords in LDAP any more, everything against kerberos. Then at
least when a user changes their kerberos password, the same password
is used everywhere. I just can't get this to work for some reason. I
have followed many tutorials, so many that I forgot what I did, and
it still doesn't work.
Slapd should use pam to authenticate, or directly talk to the
kerberos server, whatever.
saslauthd has the gssapi module installed.
I have created an ldap/acorn.squirrel@SQUIRREL key, and added this
keytab in /etc/defaults/slapd. acorn.squirrel is the fqdn of the
server, SQUIRREL is its kerberos realm.
To have slapd use saslauthd for authentication, you'll need to create the
file /usr/lib/sasl2/slapd.conf, with these contents:
mech_list: plain login
keytab: /etc/krb5.keytab (which is the standard location)
*If* you intend to perform a PLAIN sasl bind, you'll need this in your
If you're planning on supporting non-sasl binds, but still wish to
authenticate via saslauthd, your userPassword entries should look like:
and you'll need to verify that your slapd was compiled with the
--enable-spasswd option. See section 4.5 (Pass-Through authentication)
of the OpenLDAP Administrators Guide.
You could authenticate against a kerberos5 installation with saslauthd a
couple of different ways:
1. Authenticate saslauthd against PAM. Edit /etc/default/saslauthd and
specify 'pam' as your authentication backend. You'll then need to configure
a kerberos pam module to do that actual work.
2. Authenticate saslauthd against kerberos5 ('kerberos5' in
/etc/default/saslauthd). I'm not sure if you need to have a valid ticket
granting ticket, or if a proper /etc/krb5.conf is all you need.
Current situation after all the hacking:
$ ldapwhoami -x -D 'uid=wouter,ou=people,dc=squirrel' -W -h
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
when entering my Kerberos password; it accepts my credentials when I
enter the LDAP stored password (a different password).
That requires pass-through authentication.
Then I just did:
wouter@acorn:~$ ldapsearch -LLL -s base -b '' '(objectClass=*)' +
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific)
Ticket cache: FILE:/tmp/krb5cc_1000_5lYS4w
Default principal: wouter@SQUIRREL
Valid starting Expires Service principal
09/08/10 22:42:07 09/09/10 08:42:07 krbtgt/SQUIRREL@SQUIRREL
renew until 09/09/10 22:42:07
09/08/10 22:46:39 09/09/10 08:42:07 ldap/acorn.squirrel@SQUIRREL
renew until 09/09/10 22:42:07
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
Do you have ldap/acorn.squirrel@SQUIRREL in /etc/krb5.keytab, on the
server? Is it readable by the slapd user?