[389-users] GSSAPI authentication to Directory Server

Andrey Ivanov andrey.ivanov at polytechnique.fr
Mon Oct 4 16:30:43 UTC 2010 

Hi,

Try

kinit username
<mdp>
klist -e

/usr/bin/ldapsearch  -Y GSSAPI -h station1.example.com -b
"dc=example,dc=com" "(cn=*)"

klist -e
<you should see the additional ticket ldap/station1.example.com>
At least, that's how it works in our system


2010/10/4 Matt Carey <cvstealth2000 at yahoo.com>

> I'm trying to follow the Kerberos howto guide at
> http://directory.fedoraproject.org/wiki/Howto:Kerberos but am having an
> issue authenticating to the Directory Server with GSSAPI/Kerberos tickets:
> $ /usr/lib/mozldap/ldapsearch -h station1.example.com -p 389 -o
> mech=GSSAPI -o authid="mcarey at STATION1.EXAMPLE.COM"  -o authzid="
> mcarey at STATION1.EXAMPLE.COM" -b "dc=example,dc=com" "(cn=*)"
> Bind Error: Invalid credentials
> Bind Error: additional info: SASL(-13): authentication failure: GSSAPI
> Failure: gss_accept_sec_context
>
> Attempt with OpenLDAP client:
> $ /usr/bin/ldapsearch  -Y GSSAPI -X u:mcarey -b "" -s base -LLL -H ldap://
> station1.example.com -b "dc=example,dc=com" "(cn=*)"
> SASL/GSSAPI authentication started
> ldap_sasl_interactive_bind_s: Invalid credentials (49)
>     additional info: SASL(-13): authentication failure: GSSAPI Failure:
> gss_accept_sec_context
>
>
> Resulting in the following entries in the access log on the DS:
> # tail -5 access
> [04/Oct/2010:10:44:14 -0400] conn=18 fd=68 slot=68 connection from
> 10.100.0.45 to 10.100.0.45
> [04/Oct/2010:10:44:14 -0400] conn=18 op=0 BIND dn="" method=sasl version=3
> mech=GSSAPI
> [04/Oct/2010:10:44:14 -0400] conn=18 op=0 RESULT err=49 tag=97 nentries=0
> etime=0
> [04/Oct/2010:10:44:14 -0400] conn=18 op=1 UNBIND
> [04/Oct/2010:10:44:14 -0400] conn=18 op=1 fd=68 closed - U1
>
>
> From what I can tell the Kerberos infrastructure and OS components are
> setup accordingly:
> GSSAPI is a viable SASL mechanism:
> $ /usr/lib/mozldap/ldapsearch -b "" -h station1 -p 389 -s base
> "(objectClass=*)" supportedSASLMechanisms
> version: 1
> dn:
> supportedSASLMechanisms: EXTERNAL
> supportedSASLMechanisms: DIGEST-MD5
> supportedSASLMechanisms: GSSAPI
> supportedSASLMechanisms: LOGIN
> supportedSASLMechanisms: CRAM-MD5
> supportedSASLMechanisms: ANONYMOUS
> supportedSASLMechanisms: PLAIN
>
> Directory Server keytab and contents:
> # grep "nsslapd-localuser" dse.ldif
> nsslapd-localuser: nobody
> # ls -la ds.keytab
> -rw------- 1 nobody nobody 172 Oct  3 13:21 ds.keytab
> # ktutil
> ktutil:  rkt ./ds.keytab
> ktutil:  l
> slot KVNO Principal
> ---- ----
> ---------------------------------------------------------------------
>    1    3 ldap/station1.example.com at STATION1.EXAMPLE.COM
>    2    3 ldap/station1.example.com at STATION1.EXAMPLE.COM
> # grep KRB /etc/sysconfig/dirsrv
> KRB5_KTNAME=/etc/dirsrv/ds.keytab ; export KRB5_KTNAME
>
> SASL maps in Directory Server:
> dn: cn=Kerberos uid mapping,cn=mapping,cn=sasl,cn=config
> objectClass: top
> objectClass: nsSaslMapping
> cn: Kerberos uid mapping
> nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)
> nsSaslMapBaseDNTemplate: dc=\2,dc=\3
> nsSaslMapFilterTemplate: (uid=\1)
>
> dn: cn=Station1 Kerberos Mapping,cn=mapping,cn=sasl,cn=config
> objectClass: top
> objectClass: nsSaslMapping
> cn: Station1 Kerberos Mapping
> nsSaslMapRegexString: (.*)@STATATION1.EXAMPLE.COM
> nsSaslMapFilterTemplate: (objectclass=inetOrgPerson)
> nsSaslMapBaseDNTemplate: uid=\1,ou=People,dc=example,dc=com
>
> dn: cn=station1 map,cn=mapping,cn=sasl,cn=config
> objectClass: top
> objectClass: nsSaslMapping
> cn: example map
> cn: station1 map
> nsSaslMapRegexString: \(.*\)
> nsSaslMapBaseDNTemplate: ou=People,dc=example,dc=com
> nsSaslMapFilterTemplate: (cn=\1)
>
> Getting a ticket from the KDC:
> [mcarey at station1 ~]$ kdestroy
> [mcarey at station1 ~]$ kinit
> Password for mcarey at STATION1.EXAMPLE.COM:
> [mcarey at station1 ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_5000_hYlO20
> Default principal: mcarey at STATION1.EXAMPLE.COM
> Valid starting     Expires            Service principal
> 10/04/10 10:57:20  10/04/10 17:37:20  krbtgt/STATION1.EXAMPLE.COM@
> STATION1.EXAMPLE.COM
> Kerberos 4 ticket cache: /tmp/tkt5000
> klist: You have no tickets cached
>
> Any help or pointers people have would be greatly appreciated.
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20101004/a669ef49/attachment.html>

More information about the 389-users mailing list