Help with SASL/GSSAPI to remote Kerberos server

Douglas E. Engert deengert at anl.gov
Tue Feb 19 16:33:07 EST 2008



Wes Modes wrote:
> I am using SASL/GSSAPI to authenticate to Kerberos from OpenLDAP.  I
> haven't gotten that to work yet. 
>

Are you saying you want to use SASL/GSSAPI/Kerberos between a ldap client and
and ldapserver?

> Almost all of the docs I found presume that I am setting up the KDC on
> the same server at OpenLDAP. In my case, the KDC is administered by
> another group who is willing to grant me access to Kerberos.

The Kerberos KDCs can store their data in LDAP, but that does not
sound like what you are trying to do, as the KDCs are being run
by someone else.

>  However,
> none of the docs I've found offer help in setting up SASL/GSSAPI here
> and the Kerberos server elsewhere.

Sounds like you have been reading about the KDCs using ldap for their data.


> 
> Can someone point me to anything that would guide me through this
> process?  Or does anyone want to share portions of their configuration?
> 

If this is for an ldap client to an ldap server using GSSAPI:

On OpenLDAP server in  slapd.conf:

security sasl=56
says require sasl authentication, with at least DES.
You can add other options as well.

The dn of a sasl authenticated user would look like:
uid=<username>,realm=<realm>,cn=gssapi,cn=auth
where the user's Kerbeors principal would have been
<username>@<realm>
If the <realm> id the default realm of the slapd
server machines, the dn would be
uid=<username>,cn=gssapi,cn=auth

Look at the sasl-regexp on how to map these to something else.

The slapd needs a keytab file with a service principal like:
ldap/<fqdn>@<realm>

Where fqdn is the hostname of the ldap server.

Since slapd is not normally run as root, it needs access to
its own keytab file, and something like this in the
/etc/default/slapd or /etc/init.d/slapd

KRB5_KTNAME=/etc/ldap/krb5.keytab
export KRB5_KTNAME


On OpenLDAP clients:

The user would have gotten a Kerberos ticket (using kinit), then

ldapsearch -Y GSSAPI -h ldap.server.com ...



> Specifics:
> 
> OS: Red Hat Enterprise 4 v2.6.9
> OpenLDAP v2.2.13
> Local MIT Kerberos5 v1.3.4
> KDC:  MIT Kerberos5 v?
> Cyrus SASL v2.1.19
> 
> Other questions that have come up:
> 
> What tests can I run here that will help me know if I've configured my
> end correctly to connect with the Kerberos server?
> 
> How can I test to see if I have everything I need in the keytab was
> given by the Kerberos administrators?
> 
> This project has been delayed weeks and weeks while I climb and climb up
> Samba, OpenLDAP, and Kerberos' very steep learning curve.  So your
> prompt response will be hugely helpful.
> 
> Thanks in advance.
> 
> Wes
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list