[Fedora-directory-users] FDS, Kerberos, SASL confusion
Hintermayer Johannes
hintermayer.johannes at afb.de
Wed Jul 25 14:06:12 UTC 2007
Hi all,
currently I'm battling with FDS, Kerberos and SASL to get a working
Single-Sign-On setup.
At the moment I have a working Kerberos Realm to which I can
successfully connect. I also have a working FDS with one user for
testing purposes. Saslauthd is also configured and executing
testsaslauthd is ok.
But now I have problems to convince FDS to authenticate users via
Kerberos. I have read
http://directory.fedoraproject.org/wiki/Howto:Kerberos and
http://www.redhat.com/docs/manuals/dir-server/ag/7.1/ssl.html#1083165
but I don't think it's that simple. At least it's not yet working for
me.
When I try to bind to FDS via GSSAPI the following error occurs:
#klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: bsmith at AFB.LAN
#ldapsearch -Y GSSAPI -D "uid=bsmith,ou=People,dc=afb,dc=lan" -v
ldap_initialize( <DEFAULT> )
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (Permission denied)
I have tried several combinations of config files and password entries
but none worked.
So first of all I'd like to ask a few questions to shed light on a few
things:
1. Do I need saslauthd on every client which I want to authenticate via
FDS/Kerberos?
2. Do I need a host principal for every client?
Here is my current configuration, please correct me if there are some
unneeded files (these were built together from several tutorials):
/etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = AFB.LAN
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
AFB.LAN = {
kdc = vafbkrb01.afb.lan:88
admin_server = vafbkrb01.afb.lan:749
default_domain = afb.lan
}
[domain_realm]
.afb.lan = AFB.LAN
afb.lan = AFB.LAN
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
/etc/ldap.conf
host 172.16.50.2
base dc=afb,dc=lan
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
SASL_MECH GSSAPI
SASL_REALM AFB.LAN
use_sasl on
sasl_auth_id ldap/vafbds01.afb.lan
/etc/sysconfig/saslauthd
SOCKETDIR=/var/run/saslauthd
MECH=kerberos5
FLAGS=
/usr/lib/sasl2/slapd.conf
mech_list: plain gssapi digest-md5 cram-md5 external
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
keytab: /etc/krb5.keytab
SASL Mapping:
nssaslmapfiltertemplate: (uid=\1)
nssaslmapregexstring: \(.*\)@\(.*\)
/opt/fedora-ds/slapd-vafbds01/start-slapd contains:
"export KRB5_KTNAME=/etc/krb5.keytab"
The password entry for bsmith in FDS contains:
{SASL}bsmith at AFB.LAN
FDS supports the following SASLMechanisms
#ldapsearch -x -D "uid=bsmith,ou=People,dc=afb,dc=lan" -b "" -s base
supportedSASLMechanisms
# extended LDIF
#
# LDAPv3
# base <> with scope base
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#
#
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: ANONYMOUS
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: CRAM-MD5
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
DNS (forward & reverse) as well as NTP settings are correct on all
hosts.
Are there any obvious mistakes in my configuration or am I on the right
track?
Thanks in advance!
Best regards,
Johannes Hintermayer
More information about the 389-users
mailing list