I'm looking how to add the GSSAPI support into my OpenLDAP ?
Current setup
MIT Kerberos V + OpenLDAP
Kerberos bind to openldap
Able to issue kerberos tickets to my users (with kinit exampluser)
Able to ldapsearch -x uid=exampluser
Openldap side
server% ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
Client Side
client% ldapsearch uid=exampleuser
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
additional info: SASL(-4): no mechanism available: Couldn't find mech GSSAPI
Client ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=example,dc=com
URI ldap://ldap.example.com
SASL_MECH GSSAPI
Obviously, the error is clear enough to explain that my ldap request didn't find the mechanism to auth.
I've been through many tutorial, explanations, but still can't find anywhere how to "add" that mechanism.
Thanks What is SASL/GSSAPI? for all the awesome explanations.
Updated for user 473183469
I've generated a keytab just for the ldap, that I've copied in /etc/ldap/ldap.keytab, and edited the /etc/default/slapd according to https://help.ubuntu.com/community/SingleSignOn asking to uncomment and give the path to export KRB5_KTNAME=/etc/ldap/ldap.keytab
That ldap keytab was generated like that
kadmin: addprinc -randkey ldap/[email protected]
kadmin: ktadd -k ~/ldap.keytab ldap/[email protected]
I also have a /etc/krb5.keytab that was created at the beginning of the installation
kadmin.local: listprincs
[email protected]
K/[email protected]
krbtgt/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
[email protected] (also in the ldap, can issue a ticket and everything)
[email protected] (same for him)
ldap/[email protected]
The ktutil result
# ktutil
ktutil: read_kt /etc/ldap.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 ldap/[email protected]
2 2 ldap/[email protected]
3 2 ldap/[email protected]
4 2 ldap/[email protected]
ktutil: read_kt /etc/krb5.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 2 ldap/[email protected]
2 2 ldap/[email protected]
3 2 ldap/[email protected]
4 2 ldap/[email protected]
5 2 kadmin/[email protected]
6 2 kadmin/[email protected]
7 2 kadmin/[email protected]
8 2 kadmin/[email protected]
SOLVED
I was missing
SASL_MECH GSSAPIandSASL_REAMin/etc/ldap/ldap.confNow I can just ldapsearch uid=user directly with a kerberos ticket and get the
Of course, if I don't have a kerberos ticket (which makes sense)
You'll want to change your sasl configuration for slapd, usually
/etc/sasl2/slapd.conf, to include gssapi.For example:
You'll need to restart slapd afterwards.
Aren't you simply missing the
/etc/krb5.keytabfile having as SPNldap/fdqn?I don't think you need to set any of the GSSAPI-related SASL switch on OpenLDAP as the defaults are fine and forcing e.g. the realm is more trouble than other.