[deployment-guide: 89/185] added "Setting up SASL/GSSAPI Authentication" to SSSD chapter
Jaromir Hradilek
jhradile at fedoraproject.org
Sun May 15 21:18:34 UTC 2011
commit 0cc3fdb14536f85dc4c620eacddea8fe30c189e1
Author: Martin Prpic <mprpic at redhat.com>
Date: Thu Feb 10 21:16:33 2011 +0100
added "Setting up SASL/GSSAPI Authentication" to SSSD chapter
en-US/SSSD.xml | 216 ++++++++++++++++++++++++++++++++++++++++----------------
1 files changed, 154 insertions(+), 62 deletions(-)
---
diff --git a/en-US/SSSD.xml b/en-US/SSSD.xml
index 4b03f36..eaedd64 100644
--- a/en-US/SSSD.xml
+++ b/en-US/SSSD.xml
@@ -679,7 +679,7 @@ ldap_access_filter = memberOf=cn=allowedusers,ou=Groups,dc=example,dc=com</scree
<term>proxy</term>
<listitem>
<para>
- Specifying a proxy identity or an authentication provider uses an existing NSS library or customized PAM stack, but takes advantage of the SSSD caching mechanism.
+ Specifying a proxy identity or an authentication provider uses an existing NSS library or a customized PAM stack, but takes advantage of the SSSD caching mechanism. For more information, refer to <xref linkend="sect-SSSD_User_Guide-Domain_Configuration_Options-Configuring_a_Proxy_Domain"/>.
</para>
</listitem>
</varlistentry>
@@ -851,6 +851,11 @@ ipauser01:x:937315651:937315651:ipauser01:/home/ipauser01:/bin/sh
</para>
<para>This option is only used when the <option>auth_provider</option> option is set to <literal>proxy</literal>, and specifies the target to which <acronym>PAM</acronym> must proxy.</para>
<para>This option has no default value. If proxy authentication is required, you need to specify your own <acronym>PAM</acronym> target. This corresponds to a file containing <acronym>PAM</acronym> stack information in the system's default <acronym>PAM</acronym> configuration directory. On &MAJOROS;-based systems, this is the <filename>/etc/pam.d/</filename> directory.</para>
+ <important>
+ <title>Important</title>
+ <para>Ensure that your proxy PAM stack does <emphasis>not</emphasis> recursively include <filename>pam_sss.so</filename>.
+ </para>
+ </important>
</listitem>
<listitem>
<para>
@@ -1193,48 +1198,7 @@ ldap_group_object_class = group</screen>
</para>
</note>
</section>
-
-
- </section>
-
-
- <!-- MOVE DOWN UNDER KRB5/LDAP and rename to PROXY/KRB5 or PROXY PROXY -->
- <section id="sect-SSSD_User_Guide-Domain_Configuration_Options-Configuring_a_Proxy_Domain">
- <title>Configuring a Proxy Domain</title>
- <indexterm>
- <primary>SSSD</primary>
- <secondary>Configuring a proxy domain for</secondary>
- </indexterm>
-
- <para>
- SSSD currently only supports LDAP and Kerberos as authentication providers. If you prefer to use SSSD (for example, to take advantage of its caching functionality), but SSSD does not support your authentication method, you can set up a proxy authentication provider. This could be the case if you use fingerprint scanners or smart cards as part of your authentication process.
- </para>
- <itemizedlist>
- <listitem>
- <para>
- <option>proxy_pam_target</option>
- <type>(string)</type>
- </para>
- <para>This option is only used when the <option>auth_provider</option> option is set to <literal>proxy</literal>, and specifies the proxy target that <acronym>PAM</acronym> proxies to.</para>
- <para>This option has no default value. If proxy authentication is required, you need to specify your own <acronym>PAM</acronym> target. This corresponds to a file containing <acronym>PAM</acronym> stack information in the system's default <acronym>PAM</acronym> configuration directory. On &MAJOROS;—based systems, this is the <filename>/etc/pam.d/</filename> directory.</para>
- <important>
- <para>
- Ensure that your proxy PAM stack does <emphasis>not</emphasis> recursively include <filename>pam_sss.so</filename>.
- </para>
- </important>
- </listitem>
- <listitem>
- <para>
- <option>proxy_lib_name</option>
- <type>(string)</type>
- </para>
- <para>This option is only used when the <option>id_provider</option> option is set to <literal>proxy</literal>, and specifies which existing NSS library to proxy identity requests through.</para>
-
- <para>This option has no default value. You need to manually specify an existing library to take advantage of this option. For example, set this value to <literal>nis</literal> to use the existing <filename>libnss_nis.so</filename> file.</para>
- </listitem>
- </itemizedlist>
</section>
-
</section>
@@ -1284,32 +1248,161 @@ krb5_auth_timeout = 15
</screen>
<para>This example describes the minimum options that must be configured when using Kerberos authentication. Refer to the <citetitle>sssd-krb5(5)</citetitle> manual page for a full description of all the options that apply to configuring Kerberos authentication.</para>
- <!-- <bridgehead>Setting up SASL/GSSAPI Authentication</bridgehead>
- <para>
- <firstterm>GSSAPI</firstterm> (Generic Security Services Application Programming Interface) is a supported <firstterm>SASL</firstterm> (Simple Authentiction and Security Layer) authentication method. Kerberos is currently the only commonly used GSSAPI implementation.
-
- Thus, an LDAP client and server would use SASL to negotiate GSSAPI as the authentication method (as opposed to plain-text passwords, etc.) and then the GSSAPI plugin for SASL would be invoked on each end to speak Kerberos to one another
-
- </para> -->
<note>
<title><systemitem>DNS</systemitem> Service Discovery</title>
<para>
The <systemitem>DNS</systemitem> service discovery feature allows the Kerberos 5 authentication back end to automatically find the appropriate <systemitem>DNS</systemitem> servers to connect to using a special <systemitem>DNS</systemitem> query. For more information on the <systemitem>DNS</systemitem> service discovery feature, refer to <xref linkend="sect-SSSD_User_Guide-Configuring_Domains-Configuring_Failover-Using_SRV_Records_with_Failover"/>.
</para>
</note>
- </section>
-
-<!--
- <section id="sect-SSSD_User_Guide-Configuring_Domains-Setting_up_SASL_GSSAPI_Authentication">
+ <section id="sect-setting-up-sasl-gssapi-authentication">
<title>Setting up SASL/GSSAPI Authentication</title>
- <indexterm>
- <primary>SSSD</primary>
- <secondary>Setting up SASL/GSSAPI authentication for</secondary>
- </indexterm>
- <para>dummy text</para>
- <remark>https://bugzilla.redhat.com/show_bug.cgi?id=601870</remark>
- </section>-->
+ <para>
+ <firstterm>GSSAPI</firstterm> (Generic Security Services Application Programming Interface) is a supported <firstterm>SASL</firstterm> (Simple Authentiction and Security Layer) authentication method. Kerberos is currently the only commonly used GSSAPI implementation. An LDAP client and an LDAP server use SASL to take advantage of GSSAPI as the authentication method (an alternative to plain text passwords, etc.). The GSSAPI plugin for SASL is then invoked on the client and server side to use Kerberos to communicate.
+ </para>
+ <para>
+ Using GSSAPI protected communication for LDAP is an advanced configuration not supported by the Authentication Configuration tool; the following steps show how to manually configure it.
+ </para>
+ <important>
+ <title>Important</title>
+ <para>
+ The following setup works correctly on all &MAJOROS; 6.1 systems and any systems released after it. However, when using &MAJOROS; 6.0, you must correctly configure the <option>default_realm</option> option in the <option>[libdefaults]</option> section and <option>kdc</option> option for your realm in the <option>[realms]</option> section in your <filename>/etc/krb5.conf</filename> configuration file. For more information on various <filename>/etc/krb5.conf</filename> options, refer to <command>man krb5.conf</command>
+ </para>
+ </important>
+ <variablelist>
+ <varlistentry>
+ <term>On the LDAP Server</term>
+ <listitem>
+ <orderedlist>
+ <listitem>
+ <para>
+ Using <application>kadmin</application>, set up a Kerberos service principal for the LDAP server. Use the <option>-randkey</option> option for the <application>kadmin</application>'s <command>addprinc</command> command to create the principal and assign it a random key:
+ </para>
+ <screen>kadmin: addprinc -randkey ldap/server.example.com</screen>
+ </listitem>
+ <listitem>
+ <para>
+ Use <application>kadmin</application>'s <command>ktadd</command> to write the service principal to a file:
+ </para>
+ <screen>kadmin: ktadd -k /etc/openldap/ldap.keytab ldap/server.example.com</screen>
+ <para>
+ The command above assumes you are using OpenLDAP. In this case, the keytab file must be named <filename>ldap.keytab</filename> and placed in the <filename>/etc/openldap/</filename> directory. The file must be owned by a user called <parameter>ldap</parameter> and a group called <parameter>ldap</parameter>.
+ </para>
+ <para>
+ When using the Red Hat Directory Server, name the file <filename>ds.keytab</filename> and place it in the <filename>/etc/dirsrv/</filename> directory. Uncomment the <varname>KRB5_KTNAME</varname> line in the <filename>/etc/sysconfig/dirsrv</filename> (or instance-specific) file, and set the keytab location for the <varname>KRB5_KTNAME</varname> variable. For example:
+ </para>
+ <screen>
+# In order to use SASL/GSSAPI the directory
+# server needs to know where to find its keytab
+# file - uncomment the following line and set
+# the path and filename appropriately
+KRB5_KTNAME=/etc/dirsrv/krb5.keytab ; export KRB5_KTNAME</screen>
+ </listitem>
+ </orderedlist>
+
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>On the KDC</term>
+ <listitem>
+ <orderedlist>
+ <listitem>
+ <para>
+ Using <application>kadmin</application>, set up a Kerberos host principal for the client running SSSD. Use the <option>-randkey</option> option for the <application>kadmin</application>'s <command>addprinc</command> command to create the principal and assign it a random key:
+ </para>
+ <screen>kadmin: addprinc -randkey host/client.example.com</screen>
+ </listitem>
+ <listitem>
+ <para>
+ Use <application>kadmin</application>'s <command>ktadd</command> to write the host principal to a file:
+ </para>
+ <screen>kadmin: ktadd -k /etc/krb5.keytab host/client.example.com</screen>
+ </listitem>
+ <listitem>
+ <para>
+ Modify your /etc/sssd/sssd.conf file to reflect the following settings:
+ </para>
+ <screen>
+ldap_sasl_mech = gssapi
+ldap_sasl_authid = host/client.example.com at EXAMPLE.COM
+ldap_krb5_keytab = /etc/krb5.keytab (default)
+ldap_krb5_init_creds = true (default)
+ldap_krb5_ticket_lifetime = 86400 (default)
+krb5_realm = EXAMPLE.COM
+ </screen>
+ </listitem>
+ </orderedlist>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </section>
+
+ </section>
+ <section id="sect-SSSD_User_Guide-Domain_Configuration_Options-Configuring_a_Proxy_Domain">
+ <title>Configuring a Proxy Domain</title>
+ <indexterm>
+ <primary>SSSD</primary>
+ <secondary>Configuring a proxy domain for</secondary>
+ </indexterm>
+ <para>
+ SSSD currently only supports LDAP and Kerberos as authentication providers. If you prefer to use SSSD (for example, to take advantage of its caching functionality), but SSSD does not support your authentication method, you can set up a proxy authentication provider. This could be the case if you use fingerprint scanners or smart cards as part of your authentication process. Similarly, you can set up proxy to serve as an identity provider.
+ </para>
+ <para>
+ The following sections cover various combinations of identity providers and authentication provides in which the proxy server takes the role of one.
+ </para>
+ <!-- <section id="sect-SSSD-proxy-krb5">
+ <title>proxy/KRB5</title>
+ <para>An example of a combination of a proxy identity provider used with Kerberos authentication is using NIS (Network Information Service) with Kerberos. This combination can be easily set up through the Authentication Configuration tool. For more information on the Authentication Configuration tool, refer to <xref linkend="sect-The_Authentication_Configuration_Tool"/>.</para>
+ </section>
+ <section id="sect-SSSD-LDAP-proxy">
+ <title>LDAP/proxy</title>
+ <para>To set up the combination of an LDAP identity provider and proxy authentication provider, follow these steps:</para>
+ To enable authentication via the PAM stack, add these options to the domain config:
+ <orderedlist>
+ <listitem>
+ <para>
+ Edit your <filename>/etc/sssd/sssd.conf</filename> configuration file to reflect the following settings:
+ </para>
+ <screen>
+
+[domain/PROXY]
+auth_provider = proxy
+id_provider = proxy
+proxy_lib_name = ldap
+proxy_pam_target = sssdproxyldap
+enumerate = true
+cache_credentials = 2907true
+debug_level = 4
+min_id = 1000
+ </screen>
+ </listitem>
+ <listitem>
+ <para>
+ create:
+/etc/pam.d/sssdproxyldap
+auth required pam_ldap.so
+account required pam_ldap.so
+password required pam_ldap.so
+session required pam_ldap.so
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ edit:
+/etc/nslcd.conf
+uid nslcd
+gid ldap
+uri ldaps://ldap.mydomain.org:636
+base dc=mydomain,dc=org
+ssl no
+tls_cacertdir /etc/openldap/cacerts
+ </para>
+ </listitem>
+ </orderedlist>
+ <para>must have nss-pam-ldapd installed
+ </para>
+ </section> -->
+ </section>
<!--<section
id="chap-SSSD_User_Guide-Using_the_SSSD_Management_Tools">
@@ -1704,5 +1797,4 @@ auth_provider = proxy
proxy_auth_target = nis_pam_proxy
</programlisting>
</section>
-</section>
-<!-- </section> -->
\ No newline at end of file
+</section>
\ No newline at end of file
More information about the docs-commits
mailing list