我正在寻找如何将GSSAPI支持添加到我的OpenLDAP中 ?
当前设置
MIT Kerberos V + OpenLDAP Kerberos bind to openldap Able to issue kerberos tickets to my users (with kinit exampluser) Able to ldapsearch -x uid=exampluser OpenLDAP方面
server% ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms ldap_start_tls: Protocol error (2) additional info: unsupported extended operation dn: supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN
客户端
client% ldapsearch uid=exampleuser SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available: Couldn't find mech GSSAPI
客户端ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=example,dc=com URI ldap://ldap.example.com SASL_MECH GSSAPI
显然,错误是足够清楚的解释,我的LDAP请求没有find机制来validation。
我已经经历了许多教程,解释,但仍然无法find任何地方如何“ 添加 ”该机制。
谢谢什么是SASL / GSSAPI? 所有的真棒解释。
已更新为用户473183469
我已经为ldap生成了一个keytab,我已经复制到/etc/ldap/ldap.keytab中 ,并根据https://help.ubuntu.com/community/SingleSignOn编辑/ etc / default / slapd要求取消注释并提供导出的pathKRB5_KTNAME = / etc / ldap / ldap.keytab
那个ldap keytab就是这样生成的
kadmin: addprinc -randkey ldap/[email protected] kadmin: ktadd -k ~/ldap.keytab ldap/[email protected]
我还有一个在安装开始时创build的/etc/krb5.keytab
kadmin.local: listprincs [email protected] K/[email protected] krbtgt/[email protected] kadmin/[email protected] kadmin/[email protected] kadmin/[email protected] kadmin/[email protected] [email protected] (also in the ldap, can issue a ticket and everything) [email protected] (same for him) ldap/[email protected]
ktutil的结果
# ktutil ktutil: read_kt /etc/ldap.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 ldap/[email protected] 2 2 ldap/[email protected] 3 2 ldap/[email protected] 4 2 ldap/[email protected] ktutil: read_kt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 ldap/[email protected] 2 2 ldap/[email protected] 3 2 ldap/[email protected] 4 2 ldap/[email protected] 5 2 kadmin/[email protected] 6 2 kadmin/[email protected] 7 2 kadmin/[email protected] 8 2 kadmin/[email protected]
你需要改变slapd的saslconfiguration,通常是/etc/sasl2/slapd.conf ,包含gssapi。
例如:
mech_list: external gssapi plain pwcheck_method: saslauthd
之后你需要重新启动slapd。
解决了
我在/etc/ldap/ldap.conf缺lessSASL_MECH GSSAPI和SASL_REAM
[Tue Feb 28 13:48 root:ldap] [~] # cat /etc/ldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=example,dc=com URI ldap://ldap.example.com SASL_MECH GSSAPI SASL_REALM EXAMPLE.COM
现在我可以直接使用kerberos票据ldapsearch uid = user来获取
SASL/GSSAPI authentication started SASL username: [email protected] SASL SSF: 112 SASL data security layer installed. # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: uid=user # requesting: ALL #
当然,如果我没有kerberos票(这是有道理的)
client% ldapsearch uid=gleger SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text (No credentials cache file found)
你不是简单地丢失了具有SPN ldap/fdqn的/etc/krb5.keytab文件吗?
我不认为你需要在OpenLDAP上设置任何与GSSAPI有关的SASL开关,因为默认情况是好的,并且迫使例如这个领域比其他的更麻烦。