[Fedora-directory-users] Fedora DS, Kerberos, Active Directory - HOWTO?

Howard Wilkinson howard at cohtech.com
Fri Apr 20 17:12:08 UTC 2007 

Richard Megginson wrote:
> Howard Wilkinson wrote:
>> I am new to Fedora DS and have installed 1.0.4 onto a Fedora Core 6 
>> (+ enhancements) build. I have built the install using the dsbuild 
>> operation and all seems to be working. I can authenticate to the 
>> system using the 'admin' user and the "CN=Directory Manager" 
>> identity. I have SSL working and now want to use our Kerberos 
>> environment to provide SSO to the server.
>>
>> Our Kerberos environment is based on an AD KDC and is supporting 
>> other application successfully. We have created the 'ldap/...' 
>> service principal and imported it into the system keytab.
>>
>> First test with ldapsearch using GSSAPI fails with permission denied 
>> from the GSSAPI function. So I thought I would try the mapping 
>> facility as documented in the administration manual and set up to map 
>> the Kerberos identity to the correct search DN for the AD. As we only 
>> have the one Domain/Forest I set up a simple map that takes any name 
>> and maps to this DN. I then set up a referral inside the DS to point 
>> to the AD controllers in the hope that this would activate the 
>> necessary logic. No joy.
>>
>> Looking in the code for 'saslbind.c' it looks like the code only 
>> allows for locally registered users. If I am reading this right does 
>> this mean my next step is to remove the referral and add a replica 
>> for the AD into my DS using the procedure outlined in the 
>> Administration Guide section "Windows Sync".
> Yes.  I believe you have to have an entry associated with the 
> principal in Fedora DS.  So yes, you will have to sync your user 
> information from AD to Fedora DS.
>> In doing this will I have then enabled GSSAPI/Kerberos authentication 
>> or will I still be missing something? If I do this will I be causing 
>> problems in the future with other parts of the AD as I want to get 
>> referrals when the data is not held in the DS?
> Well, it depends.  What are you using Fedora DS for?  Are you just 
> using it as an authentication gateway to AD?  If so, then you could 
> probably just use something like pam_winbindd and skip Fedora DS 
> altogether.
>> (Given that I will be syncing users (and groups?) only). I can use OU 
>> trees for this and tie the referrals there of course but then I will 
>> need to sync the entire CN=Users tree.
>>
>> I understand that I will need to create a separate DIT (root) for the 
>> AD data to ensure that I can sync to multiple domains in the future, 
>> is this correct?
> I'm not really sure.  Can you explain more about your topology and how 
> you want to use Fedora DS?
>>
>> Any advice or even a description of the set of steps that will make 
>> this dance work would be much appreciated.
>> -- 
>>
>> Howard Wilkinson
>>
>>     
>>
>> Phone:
>>
>>     
>>
>> +44(20)76907075
>>
>> Coherent Technology Limited
>>
>>     
>>
>> Fax:
>>
>>     
>>
>>  
>>
>> 23 Northampton Square,
>>
>>     
>>
>> Mobile:
>>
>>     
>>
>> +44(7980)639379
>>
>> United Kingdom, EC1V 0HL
>>
>>     
>>
>> Email:
>>
>>     
>>
>> howard at cohtech.com
>>
>>  
>>
>> ------------------------------------------------------------------------
>>
>> -- 
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>   
> ------------------------------------------------------------------------
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>   
Richard,

I am implementing the Fedora DS to provide data from other domains than 
my AD. So I have other roots in the Directory Store already. I also will 
be storing additional information for users in the DS to support RADIUS 
and other applications. However our primary authentication store is on 
Windows 2003 using the KDC. I have users who have Kerberos tickets 
granted and can do GSSAPI exchanges with the AD to retrieve LDAP 
results. The DS has a map which I believe should take a Kerberos/GSSAPI 
identity and map it to a LDAP lookup. I have arranged for users to be 
synchronised using the Windows Sync and am trying to match on 
uid=<samAccountName>,OU=People,DC=example,DC=com for the user.

 From the debug logs I am not sure that the DS is doing the GSSAPI look 
or executing the maps but I get permission denied response with 
'ldap_sasl_interactive_bind_s: Invalid credentials (49)' as the primary 
message.

I am not sure where to look next unless what I need to do is to add some 
acl's for the users currently I just want to get LDAPSEARCH working with 
Kerberos.

Howard.


-- 

Howard Wilkinson

	

Phone:

	

+44(20)76907075

Coherent Technology Limited

	

Fax:

	

 

23 Northampton Square,

	

Mobile:

	

+44(7980)639379

United Kingdom, EC1V 0HL

	

Email:

	

howard at cohtech.com

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20070420/1ea261d2/attachment.html>

More information about the 389-users mailing list