在支持的SASLMechanisms 中将 GSSAPI 添加到 OpenLdap

在支持的SASLMechanisms 中将 GSSAPI 添加到 OpenLdap

我在看如何将 GSSAPI 支持添加到我的 OpenLDAP 中

当前设置

MIT Kerberos V + OpenLDAP
Kerberos bind to openldap
Able to issue kerberos tickets to my users (with kinit exampluser)
Able to ldapsearch -x uid=exampluser

Openldap 端

server% ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms

    ldap_start_tls: Protocol error (2)
    additional info: unsupported extended operation
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

客户端

client% ldapsearch uid=exampleuser

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
    additional info: SASL(-4): no mechanism available: Couldn't find mech GSSAPI

客户端 ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE        dc=example,dc=com
URI         ldap://ldap.example.com
SASL_MECH   GSSAPI

显然,这个错误足够清楚,可以解释我的 ldap 请求没有找到身份验证机制。

我已经看过很多教程和解释,但仍然找不到如何“添加“该机制。

谢谢什么是 SASL/GSSAPI?感谢所有精彩的解释。

已为用户 473183469 更新

我已经为 ldap 生成了一个 keytab,并将其复制到/etc/ldap/ldap.keytab,并编辑了/etc/默认/slapd根据https://help.ubuntu.com/community/SingleSignOn要求取消注释并提供路径导出 KRB5_KTNAME=/etc/ldap/ldap.keytab

ldap keytab 就是这样生成的

kadmin: addprinc -randkey ldap/[email protected]
kadmin: ktadd -k ~/ldap.keytab ldap/[email protected]

我还有一个在安装开始时创建的 /etc/krb5.keytab

kadmin.local:  listprincs
[email protected]
K/[email protected]
krbtgt/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
kadmin/[email protected]
[email protected] (also in the ldap, can issue a ticket and everything)
[email protected] (same for him)
ldap/[email protected]

ktutil 结果

# ktutil
ktutil:  read_kt /etc/ldap.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2            ldap/[email protected]
   2    2            ldap/[email protected]
   3    2            ldap/[email protected]
   4    2            ldap/[email protected]
ktutil:  read_kt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2            ldap/[email protected]
   2    2            ldap/[email protected]
   3    2            ldap/[email protected]
   4    2            ldap/[email protected]
   5    2           kadmin/[email protected]
   6    2           kadmin/[email protected]
   7    2           kadmin/[email protected]
   8    2           kadmin/[email protected]

答案1

解决了

我失踪SASL_MECH GSSAPISASL_REAM/etc/ldap/ldap.conf

[Tue Feb 28 13:48 root:ldap] [~] # cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=example,dc=com
URI ldap://ldap.example.com    
SASL_MECH GSSAPI
SASL_REALM EXAMPLE.COM

现在我可以直接使用 kerberos 票证 ldapsearch uid=user 并获取

SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 112
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: uid=user
# requesting: ALL
#

当然,如果我没有 Kerberos 票(这是有道理的)

client% ldapsearch uid=gleger
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
    additional info: SASL(-1): generic failure: GSSAPI Error:  Miscellaneous failure (see text (No credentials cache file found)

答案2

通常,您需要更改 slapd 的 sasl 配置/etc/sasl2/slapd.conf以包含 gssapi。

例如:

mech_list: external gssapi plain
pwcheck_method: saslauthd

之后您需要重新启动 slapd。

答案3

您是否只是缺少/etc/krb5.keytab具有 SPN 的文件ldap/fdqn

我认为您不需要在 OpenLDAP 上设置任何与 GSSAPI 相关的 SASL 开关,因为默认设置就很好,而强制设置例如领域比其他设置更麻烦。

相关内容