[Date Prev][Date Next] [Chronological] [Thread] [Top]

Kerberos/GSSAPI issues


I'm setting up an openldap server for Kerberos (GSSAPI) authentication only.
I'm using slapd-2.4.21 from Ubuntu 10.04.1.

It's basically working, and I had to do very little other than change
export KRB5_KTNAME in /etc/default/slapd to point to the service keytab.

However, there are a couple of strange things which I wonder if someone
could help me with.

(1) According to the documentation at
then the authentication DN should be

However, running slapd in debug mode I see the cn=<realm> is missing. Here
I have a ticket for inst/admin@WS.NSRC.ORG and run slapd -d 255:

do_bind: dn () SASL mech GSSAPI
==> sasl_bind: dn="" mech=<continuing> datalen=32
SASL Canonicalize [conn=1000]: authcid="inst/admin"
slap_sasl_getdn: conn 1000 id=inst/admin [len=10]
=> ldap_dn2bv(16)
<= ldap_dn2bv(uid=inst/admin,cn=GSSAPI,cn=auth)=0 
slap_sasl_getdn: u:id converted to uid=inst/admin,cn=GSSAPI,cn=auth
>>> dnNormalize: <uid=inst/admin,cn=GSSAPI,cn=auth>
=> ldap_bv2dn(uid=inst/admin,cn=GSSAPI,cn=auth,0)
<= ldap_bv2dn(uid=inst/admin,cn=GSSAPI,cn=auth)=0 
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=inst/admin,cn=gssapi,cn=auth)=0 
<<< dnNormalize: <uid=inst/admin,cn=gssapi,cn=auth>
==>slap_sasl2dn: converting SASL name uid=inst/admin,cn=gssapi,cn=auth to a DN
<==slap_sasl2dn: Converted SASL name to <nothing>
SASL Canonicalize [conn=1000]: slapAuthcDN="uid=inst/admin,cn=gssapi,cn=auth"
SASL proxy authorize [conn=1000]: authcid="inst/admin" authzid="inst/admin"
SASL Authorize [conn=1000]:  proxy authorization allowed authzDN=""
send_ldap_sasl: err=0 len=-1
do_bind: SASL/GSSAPI bind: dn="uid=inst/admin,cn=gssapi,cn=auth" sasl_ssf=56
==> limits_get: conn=1000 op=3 self="uid=inst/admin,cn=gssapi,cn=auth" this="dc=ws,dc=nsrc,dc=org"

Now this works, if I change my ACL to

olcAccess: {0}to * by dn.regex="^uid=([^,]+)/admin,cn=gssapi,cn=auth$" manage by users read

However, I wonder why the realm is missing, and whether it can be included
(because in future, if I end up with a cross-realm setup, I'll want to see
the realm for authorization)

Is this a documentation error, or is there some configuration option which
needs setting to preserve the realm?

(2) I would like to be able to do ldapsearch without specifying -Y GSSAPI
explicitly. However if I omit it, the client picks DIGEST-MD5 instead
(which isn't much use, since I have no passwords in the database)

# ldapsearch -b "ds=ws,dc=nsrc,dc=org"
SASL/DIGEST-MD5 authentication started
Please enter your password: 

Adding -d 255 I see that the server is offering these:

ldap_sasl_interactive_bind_s: server supports: NTLM DIGEST-MD5 GSSAPI CRAM-MD5
ldap_int_sasl_bind: NTLM DIGEST-MD5 GSSAPI CRAM-MD5

How can I configure the server not to offer the other authentication
mechanisms, or else to put GSSAPI at the front of the list?