[Fedora-directory-users] Fedora DS, Kerberos, Active Directory - HOWTO?
howard at cohtech.com
Fri Apr 20 17:12:08 UTC 2007
Richard Megginson wrote:
> Howard Wilkinson wrote:
>> I am new to Fedora DS and have installed 1.0.4 onto a Fedora Core 6
>> (+ enhancements) build. I have built the install using the dsbuild
>> operation and all seems to be working. I can authenticate to the
>> system using the 'admin' user and the "CN=Directory Manager"
>> identity. I have SSL working and now want to use our Kerberos
>> environment to provide SSO to the server.
>> Our Kerberos environment is based on an AD KDC and is supporting
>> other application successfully. We have created the 'ldap/...'
>> service principal and imported it into the system keytab.
>> First test with ldapsearch using GSSAPI fails with permission denied
>> from the GSSAPI function. So I thought I would try the mapping
>> facility as documented in the administration manual and set up to map
>> the Kerberos identity to the correct search DN for the AD. As we only
>> have the one Domain/Forest I set up a simple map that takes any name
>> and maps to this DN. I then set up a referral inside the DS to point
>> to the AD controllers in the hope that this would activate the
>> necessary logic. No joy.
>> Looking in the code for 'saslbind.c' it looks like the code only
>> allows for locally registered users. If I am reading this right does
>> this mean my next step is to remove the referral and add a replica
>> for the AD into my DS using the procedure outlined in the
>> Administration Guide section "Windows Sync".
> Yes. I believe you have to have an entry associated with the
> principal in Fedora DS. So yes, you will have to sync your user
> information from AD to Fedora DS.
>> In doing this will I have then enabled GSSAPI/Kerberos authentication
>> or will I still be missing something? If I do this will I be causing
>> problems in the future with other parts of the AD as I want to get
>> referrals when the data is not held in the DS?
> Well, it depends. What are you using Fedora DS for? Are you just
> using it as an authentication gateway to AD? If so, then you could
> probably just use something like pam_winbindd and skip Fedora DS
>> (Given that I will be syncing users (and groups?) only). I can use OU
>> trees for this and tie the referrals there of course but then I will
>> need to sync the entire CN=Users tree.
>> I understand that I will need to create a separate DIT (root) for the
>> AD data to ensure that I can sync to multiple domains in the future,
>> is this correct?
> I'm not really sure. Can you explain more about your topology and how
> you want to use Fedora DS?
>> Any advice or even a description of the set of steps that will make
>> this dance work would be much appreciated.
>> Howard Wilkinson
>> Coherent Technology Limited
>> 23 Northampton Square,
>> United Kingdom, EC1V 0HL
>> howard at cohtech.com
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
I am implementing the Fedora DS to provide data from other domains than
my AD. So I have other roots in the Directory Store already. I also will
be storing additional information for users in the DS to support RADIUS
and other applications. However our primary authentication store is on
Windows 2003 using the KDC. I have users who have Kerberos tickets
granted and can do GSSAPI exchanges with the AD to retrieve LDAP
results. The DS has a map which I believe should take a Kerberos/GSSAPI
identity and map it to a LDAP lookup. I have arranged for users to be
synchronised using the Windows Sync and am trying to match on
uid=<samAccountName>,OU=People,DC=example,DC=com for the user.
From the debug logs I am not sure that the DS is doing the GSSAPI look
or executing the maps but I get permission denied response with
'ldap_sasl_interactive_bind_s: Invalid credentials (49)' as the primary
I am not sure where to look next unless what I need to do is to add some
acl's for the users currently I just want to get LDAPSEARCH working with
Coherent Technology Limited
23 Northampton Square,
United Kingdom, EC1V 0HL
howard at cohtech.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the 389-users