[389-users] GUI console and Kerberos
Ted Strother
tstrothe at umich.edu
Mon Mar 16 18:36:59 UTC 2015
Hi Paul,
I'd be interested in taking a look at it and I'm sure someone else out
there would as well.
On Mon, Mar 16, 2015 at 2:34 PM, Paul Robert Marino <prmarino1 at gmail.com>
wrote:
> Is there any interest in me writing a howto on this?
> keep in mind it doesn't break any of the built in functionality but
> just adds the ability to grant users admin privileges and log into the
> the GUI console (389-console) using their Kerberos password which are
> not stored in the LDAP database.
>
>
>
>
> On Sun, Mar 15, 2015 at 4:52 PM, Paul Robert Marino <prmarino1 at gmail.com>
> wrote:
> > I got it working Kerberos 5 authentication in 389-console for standard
> > user accounts.
> > none of the users Ive tested with have password fields in the LDAP
> > database they are only authenticating via Kerberos through PAM. why is
> > this a big deal the 389-console does not support SASL so GSSAPI
> > doesn't work either.
> >
> >
> >
> > I had to implement mod_auth_pam "yum install -y mod_auth_pam.x86_64"
> > Then I had to configure pam_passthru
> > http://www.port389.org/docs/389ds/howto/howto-pam-pass-through.html
> > (by the way I have some notes on things that should be revised on that
> > page)
> > Then I had to modify two config files. listed below in unified diffs
> > next there are several ACI's that needed to be altered to provide the
> > users with the required permissions those I'm still working out.
> >
> > here are the two files that need to be modified
> > "
> > --- /etc/dirsrv/admin-serv/httpd.conf.bak 2013-08-20
> > 15:34:35.000000000 -0400
> > +++ /etc/dirsrv/admin-serv/httpd.conf 2015-03-15 13:59:05.431490104
> -0400
> > @@ -134,6 +134,9 @@
> > LoadModule restartd_module /usr/lib64/dirsrv/modules/mod_restartd.so
> > LoadModule nss_module /usr/lib64/httpd/modules/libmodnss.so
> > LoadModule admserv_module /usr/lib64/dirsrv/modules/mod_admserv.so
> > +LoadModule auth_pam_module /usr/lib64/httpd/modules/mod_auth_pam.so
> > +LoadModule auth_sys_group_module
> /usr/lib64/httpd/modules/mod_auth_sys_group.so
> > +
> >
> > ### Section 2: 'Main' server configuration
> > #
> > "
> > "
> > --- /etc/dirsrv/admin-serv/admserv.conf.bak 2013-08-20
> > 15:34:35.000000000 -0400
> > +++ /etc/dirsrv/admin-serv/admserv.conf 2015-03-15 12:45:38.906535271
> -0400
> > @@ -74,6 +74,8 @@
> > AuthUserFile /etc/dirsrv/admin-serv/admpw
> > AuthType basic
> > AuthName "Admin Server"
> > + AuthPAM_Enabled on
> > + AuthPAM_FallThrough on
> > Require valid-user
> > Order allow,deny
> > Allow from all
> > @@ -84,6 +86,8 @@
> > AuthUserFile /etc/dirsrv/admin-serv/admpw
> > AuthType basic
> > AuthName "Admin Server"
> > + AuthPAM_Enabled on
> > + AuthPAM_FallThrough on
> > Require valid-user
> > AdminSDK on
> > ADMCgiBinDir /usr/lib64/dirsrv/cgi-bin
> > @@ -97,6 +101,8 @@
> > AuthUserFile /etc/dirsrv/admin-serv/admpw
> > AuthType basic
> > AuthName "Admin Server"
> > + AuthPAM_Enabled on
> > + AuthPAM_FallThrough on
> > Require valid-user
> > AdminSDK on
> > ADMCgiBinDir /usr/lib64/dirsrv/cgi-bin
> > @@ -111,6 +117,8 @@
> > AuthUserFile /etc/dirsrv/admin-serv/admpw
> > AuthType basic
> > AuthName "Admin Server"
> > + AuthPAM_Enabled on
> > + AuthPAM_FallThrough on
> > Require valid-user
> > Order allow,deny
> > Allow from all
> > @@ -123,6 +131,8 @@
> > AuthUserFile /etc/dirsrv/admin-serv/admpw
> > AuthType basic
> > AuthName "Admin Server"
> > + AuthPAM_Enabled on
> > + AuthPAM_FallThrough on
> > Require valid-user
> > ## turn off the password pipe when using mod_restartd
> > AdminSDK off
> >
> > "
> >
> > On Sun, Mar 15, 2015 at 12:39 PM, Paul Robert Marino
> > <prmarino1 at gmail.com> wrote:
> >> No thats not it at all. that already works for users authenticating
> >> via SASL GSSAPI
> >> This is a legacy LDAPv2 simple bind with TLS instead of SSL.
> >> SASL does not apply here from what I can see.
> >> it looks like the username and password are being passed but with the
> >> the kerberos principal as the username. so instead I'm going to
> >> reattempt this via an other route utilizing PAM.
> >>
> >>
> >>
> >>
> >> On Fri, Mar 13, 2015 at 11:58 AM, Mark Reynolds <mareynol at redhat.com>
> wrote:
> >>>
> >>>
> >>> On 03/11/2015 05:48 PM, prmarino1 at gmail.com wrote:
> >>>>
> >>>> Update I got pulled away on something else but there is progress.
> >>>>
> >>>> I tried the Apache Kerberos 5 auth module initial auth worked but
> then it
> >>>> went back to LDAP error 32 because it looks like it passed
> >>>> <username>@<realm> to the ldap server as the username. Which is
> something I
> >>>> knew the module did from past experience with it.
> >>>
> >>> You probably just need to setup your sasl mappings in the Directory
> Server:
> >>>
> >>>
> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/configuring-sasl-id-mapping.html
> >>>
> >>> Mark
> >>>
> >>>>
> >>>> I'm going to pick this up again tomorrow morning but I think I have it
> >>>> now I think I have a plan that will work.
> >>>>
> >>>> I'm going to try the apache Pam authentication module which should
> pass
> >>>> the username along without modification. Then I will configure Pam
> pass
> >>>> through in 389 server. If I'm right this may do it. As a hacked
> method.
> >>>> Then if I get it working and people are interested I can write a mini
> >>>> howto.
> >>>> That said if it works it will require a litle more research but I
> may be
> >>>> able to write a simple to implement RFE so it can attempt GSSAPI auth
> >>>> possibly based on a configuration parameter.
> >>>>
> >>>> Sent from my BlackBerry 10 smartphone.
> >>>> Original Message
> >>>> From: Paul Robert Marino
> >>>> Sent: Wednesday, March 11, 2015 15:06
> >>>> To: General discussion list for the 389 Directory server project.
> >>>> Subject: Re: [389-users] GUI console and Kerberos
> >>>>
> >>>> correction it looks like I will need to enable either PAM passthrough
> >>>> or I once i actually configure the real kerberos auth via the module
> >>>> an not my quick test hack
> >>>> I think it may allow forwarding the key via SASL GSSAPI
> >>>> but either way this is good I think im well on my way to figuring it
> out.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> On Wed, Mar 11, 2015 at 2:51 PM, Paul Robert Marino <
> prmarino1 at gmail.com>
> >>>> wrote:
> >>>>>
> >>>>> Ok so here is some progress
> >>>>> i manually added my user name and password in
> >>>>> /etc/dirsrv/admin-serv/admpw using the htpassword command
> >>>>> if i put cn=<username> I get ldap error 32: No such object in the
> >>>>> admin server error log
> >>>>> but if i just put my username in it finds the entry and i get a
> >>>>> different error ldap error 48: Inappropriate authentication
> >>>>> this is making me wonder if saslauthd may help
> >>>>>
> >>>>> On Wed, Mar 11, 2015 at 2:34 PM, Paul Robert Marino <
> prmarino1 at gmail.com>
> >>>>> wrote:
> >>>>>>
> >>>>>> I know it will probably be a little more complex than that but I
> think
> >>>>>> it logically should be one of the steps.
> >>>>>> although it doesn't explain how "cn=Directory Manager" works
> >>>>>> but it makes a lot of sense when you see the 401 error from the
> login
> >>>>>> attempt it comes from the directory specified by
> >>>>>> "
> >>>>>> <Location /admin-serv/authenticate>
> >>>>>> SetHandler user-auth
> >>>>>> AuthUserFile /etc/dirsrv/admin-serv/admpw
> >>>>>> AuthType basic
> >>>>>> AuthName "Admin Server"
> >>>>>> Require valid-user
> >>>>>> Order allow,deny
> >>>>>> Allow from all
> >>>>>> </Location>
> >>>>>> "
> >>>>>> in /etc/dirsrv/admin-serv/admserv.conf
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Wed, Mar 11, 2015 at 2:13 PM, Rich Megginson <
> rmeggins at redhat.com>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>> On 03/11/2015 11:54 AM, Paul Robert Marino wrote:
> >>>>>>>>
> >>>>>>>> Hey every one
> >>>>>>>> I have a question I know at least once in the past i setup the
> admin
> >>>>>>>> console so it could utilize Kerberos passwords based on a howto I
> >>>>>>>> found once which after I changed jobs I could never find again.
> >>>>>>>>
> >>>>>>>> today I was looking for something else and I saw a mention on the
> site
> >>>>>>>> about httpd needing to be compiled with http auth support.
> >>>>>>>> well I did a little digging and I found this file
> >>>>>>>> /etc/dirsrv/admin-serv/admserv.conf
> >>>>>>>>
> >>>>>>>> in that file I found a lot of entries that look like this
> >>>>>>>> "
> >>>>>>>> <LocationMatch /*/[tT]asks/[Cc]onfiguration/*>
> >>>>>>>> AuthUserFile /etc/dirsrv/admin-serv/admpw
> >>>>>>>> AuthType basic
> >>>>>>>> AuthName "Admin Server"
> >>>>>>>> Require valid-user
> >>>>>>>> AdminSDK on
> >>>>>>>> ADMCgiBinDir /usr/lib64/dirsrv/cgi-bin
> >>>>>>>> NESCompatEnv on
> >>>>>>>> Options +ExecCGI
> >>>>>>>> Order allow,deny
> >>>>>>>> Allow from all
> >>>>>>>> </LocationMatch>
> >>>>>>>>
> >>>>>>>> "
> >>>>>>>> when I checked /etc/dirsrv/admin-serv/admpw sure enough I found
> the
> >>>>>>>> Password hash for the admin user.
> >>>>>>>>
> >>>>>>>> So my question is before I wast time experimenting could it
> possibly
> >>>>>>>> be as simple as changing the auth type to kerberos
> >>>>>>>> http://modauthkerb.sourceforge.net/configure.html
> >>>>>>>
> >>>>>>>
> >>>>>>> I don't know. I don't think anyone has ever tried it.
> >>>>>>>
> >>>>>>>> keep in mind my Kerberos Servers do not use LDAP as the backend.
> >>>>>>>> --
> >>>>>>>> 389 users mailing list
> >>>>>>>> 389-users at lists.fedoraproject.org
> >>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> >>>>>>>
> >>>>>>>
> >>>>>>> --
> >>>>>>> 389 users mailing list
> >>>>>>> 389-users at lists.fedoraproject.org
> >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> >>>>
> >>>> --
> >>>> 389 users mailing list
> >>>> 389-users at lists.fedoraproject.org
> >>>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> >>>
> >>>
> >>> --
> >>> 389 users mailing list
> >>> 389-users at lists.fedoraproject.org
> >>> https://admin.fedoraproject.org/mailman/listinfo/389-users
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
--
Ted Strother
Systems Administrator Senior
Information Technology Services
University of Michigan-Dearborn
19000 Hubbard Drive, 238 FCN
Dearborn, MI 48126
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20150316/ffdefd81/attachment.html>
More information about the 389-users
mailing list