Questions on openldap and kerberos....
John Tobin
jtobin at po-box.esu.edu
Fri Jan 4 16:31:07 EST 2013
Dear Kerveros,
Please inform me if this is inappropriate for the kerberos forum,
I understand this is probably a user bug...
I have looked under a number of different pieces of documentation,
I am probably looking in the wrong places.
Assistance is requested from those who may be able to provide guidance.
I may even try to document my efforts if that will make it reasonable for
rookies [like me!]
Sorry for the length.
I have installed kerberos 1.10.2 from suse 12.2.
I have installed openldap 2.22.2 from suse 12.2 also.
I am assuming that there are a few people who have this working.
I have followed the Chapter 6 of the suse admin guide:³Network
authentication with Kerberos² from
http://doc.opensuse.org/documentation/html/opensuse121.....:
And followed the directions from 6.4.11. Using Ldap and Kerberos
This set of directions creates the principal:
Ldap/ldap.dark1.net,
And tells me to add this entry to the keytab:
kadmin: ktadd ldap/ldap.dark1.net
Then goes over options for making the keytab readable by ldap [group], which
I did.
The suse documentation has been my guide to get kerberos working, and that
has been successful.
I can login with a kerberos id using ssh, as well as login with a standard
id, so I assume kerberos is working.
A standard ldapsearch x b for a known id works [the x allows ldapsearch
to work without sasl so without kerberos],
A [I assume kerberos] ldapsearch b Œdc=dark1,dc=net¹... Does not, see the
errors in the case doc.
Below I have a quick outline of the case :
current status of tasks for kerberos and ldap,
the 2 queries,
Kdc.conf
krb5.conf
Ldap.conf [client]
Assistance would be appreciated.
Sincerely,
tob
kerberos1:/etc/init.d # ps -ef| grep kadmi
root 8874 1 0 11:40 ? 00:00:00 /usr/lib/mit/sbin/kadmind
root 9785 3408 0 15:32 pts/0 00:00:00 grep --color=auto kadmi
kerberos1:/etc/init.d # ps -ef|grep krb
jctobin 2852 2566 0 08:35 ? 00:00:02 /usr/bin/krb5-auth-dialog
root 8884 1 0 11:40 ? 00:00:00 /usr/lib/mit/sbin/krb5kdc
root 9787 3408 0 15:32 pts/0 00:00:00 grep --color=auto krb
kerberos1:/etc/init.d # ps -ef |grep slap
root 8472 1 0 11:12 ? 00:00:00 /usr/lib/openldap/slapd -h
ldap:/// ldapi:/// -F /etc/openldap/slapd.d -o slp=on
root 9789 3408 0 15:32 pts/0 00:00:00 grep --color=auto slap
$$$$$
kerberos1:~ # ldapsearch -x -h kerberos1.dark1.net -b 'dc=dark1,dc=net'
'(uid=jtobin)'
# extended LDIF
#
# LDAPv3
# base <dc=dark1,dc=net> with scope subtree
# filter: (uid=jtobin)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
$$$$$
kerberos1:~ # ldapsearch -h kerberos1.dark1.net -b 'dc=dark1,dc=net'
'(uid=jtobin)'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error:
Unspecified GSS failure. Minor code may provide more information
(Credentials cache file '/tmp/krb5cc_0' not found)
$$$$
kerberos1:/var/lib/kerberos/krb5kdc # cat kdc.conf
[kdcdefaults]
kdc_ports = 750,88
[realms]
DARK1.NET = {
database_name = /var/lib/kerberos/krb5kdc/principal
admin_keytab = FILE:/var/lib/kerberos/krb5kdc/kadm5.keytab
acl_file = /var/lib/kerberos/krb5kdc/kadm5.acl
dict_file = /var/lib/kerberos/krb5kdc/kadm5.dict
key_stash_file = /var/lib/kerberos/krb5kdc/.k5.DARK1.NET
kdc_ports = 750,88
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
kerberos1:/var/lib/kerberos/krb5kdc #
$$$$$
kerberos1:/etc # cat krb5.conf
[libdefaults]
default_realm = DARK1.NET
clockskew = 600
[realms]
DARK1.NET = {
kdc = kerberos1.dark1.net
default_domain = dark1.net
admin_server = kerberos1.dark1.net
}
[logging]
kdc = FILE:/var/log/krb5/krb5kdc.log
admin_server = FILE:/var/log/krb5/kadmind.log
default = SYSLOG:NOTICE:DAEMON
[appdefaults]
pam = {
ticket_lifetime = 1d
renew_lifetime = 1d
forwardable = true
proxiable = true
minimum_uid = 1
clockskew = 600
external = sshd
use_shmem = sshd
debug = true
initial_prompt = true
validate = true
}
# [domain_realm]
.dark1.net = DARK1.NET
kerberos1:/etc #
$$$$$
kerberos1:~ # cat /etc/ldap.conf
# The distinguished name of the search base.
base dc=dark1,dc=net
# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
uri ldap://kerberos1.dark1.net
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=example,dc=com
# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=manager,dc=example,dc=com
# The port.
# Optional: default is 389.
port 389
# The search scope.
# Search timelimit
#timelimit 30
# Bind/connect timelimit
#bind_timelimit 30
# Reconnect policy:
# hard_open: reconnect to DSA with exponential backoff if
# opening connection failed
# hard_init: reconnect to DSA with exponential backoff if
# initializing connection failed
# hard: alias for hard_open
# soft: return immediately on server failure
bind_policy soft
# Connection policy:
# persist: DSA connections are kept open (default)
# oneshot: DSA connections destroyed after request
#nss_connect_policy persist
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600
# Use paged rseults
#nss_paged_results yes
# Pagesize: when paged results enable, used to set the
# pagesize to a custom value
#pagesize 1000
# Filter to AND with uid=%s
#pam_filter objectclass=account
# The user ID attribute (defaults to uid)
#pam_login_attribute uid
# Search the root DSE for the password policy (works
# with Netscape Directory Server). Make use of
# Password Policy LDAP Control (as in OpenLDAP)
pam_lookup_policy yes
# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes
# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes
# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com
# Group member attribute
#pam_member_attribute uniquemember
# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0
# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody
# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear
# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds
# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf
# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad
# Use the OpenLDAP password change
# extended operation to update the password.
pam_password clear
# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your
password.
# Use backlinks for answering initgroups()
#nss_initgroups backlink
# returns NOTFOUND if nss_ldap's initgroups() is called
# for users specified in nss_initgroups_ignoreusers
# (comma separated)
nss_initgroups_ignoreusers root,ldap
# Enable support for RFC2307bis (distinguished names in group
# members)
nss_schema rfc2307bis
# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=People,dc=example,dc=com?one
#nss_base_shadow ou=People,dc=example,dc=com?one
#nss_base_group ou=Group,dc=example,dc=com?one
#nss_base_hosts ou=Hosts,dc=example,dc=com?one
#nss_base_services ou=Services,dc=example,dc=com?one
#nss_base_networks ou=Networks,dc=example,dc=com?one
#nss_base_protocols ou=Protocols,dc=example,dc=com?one
#nss_base_rpc ou=Rpc,dc=example,dc=com?one
#nss_base_ethers ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=example,dc=com?one
#nss_base_aliases ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass
# configure --enable-nds is no longer supported.
# NDS mappings
nss_map_attribute uniqueMember uniqueMember
pam_filter objectClass=posixAccount
tls_cacertdir /etc/openldap/certs
tls_cacertfile /etc/openldap/certs/cacert.pem
ssl start_tls
#ssl on
# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes
# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs
# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool
# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1
# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key
# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
kerberos1:~ #
More information about the Kerberos
mailing list