Benutzer:Philip/Kerberos and LDAP

aus Metalab Wiki, dem offenen Zentrum für meta-disziplinäre Magier und technisch-kreative Enthusiasten.
< Benutzer:Philip
Version vom 9. Juni 2007, 12:09 Uhr von Philip (Diskussion | Beiträge) (Die Seite wurde neu angelegt: This is a small write-up to get openldap running with sasl/gssapi and kerberos5. Thanks to sxw@freenode, who just knew what to do (in opposite to the various crappy how...)
(Unterschied) ← Nächstältere Version | Aktuelle Version (Unterschied) | Nächstjüngere Version → (Unterschied)
Zur Navigation springenZur Suche springen

This is a small write-up to get openldap running with sasl/gssapi and kerberos5. Thanks to sxw@freenode, who just knew what to do (in opposite to the various crappy howtos out there)

It is based on:

  • Ubuntu Feisty
  • Openldap
  • MIT Kerberos (but i guess heimdal will work just as well)

I use <> brackets to indicate that you need to fill something in. Please mind that <BLAH> stands for SOMETHING IN UPPERCASE and <blah> for something in lowercase.

fqdn=fully qualified domain name realm=kerberos realm user=existing kerberos/ldap user

  • Check prerequisites for the openldap server:
    • DNS MUST be ok:
      • host <ipaddress that you want to use to connect to ldap> must return a hostname (DNS PTR record)
      • host <hostname returned previously> must return the same ip address (DNS A record)
      • that is, host <ip> and host <hostname> must return the equal opposite
    • OpenLDAP server must give read access to root DSE on anonymouse binds
    • have libsasl2-modules-gssapi-mit installed
    • have libsasl2-dev installed
  • Check prerequisites for the openldap client:
    • you should be able to ldapsearch on the server
    • OpenLDAP must be working (and should already have useraccounts to test with)
    • Kerberos must be working (= get tickets for users)
    • have libsasl2-dev installed


  • Create a ldap service keytab on your kdc:
 kadmin.local -q "ank -randkey ldap/<fqdn>@<REALM>"
 kadmin.local -q "ktadd -k ldap-host.keytab -e \"des3-hmac-sha1:normal\" ldap/<fqdn>@<REALM>"
  • Copy ldap-host.keytab to the openldap server to /etc/ldap
  chown openldap.openldap /etc/ldap/ldap-host.keytab
  • Now, try if you get SASL running with the example server/client thing:
    • do on client/server:
  gcc -o sample-client /usr/share/doc/libsasl2-dev/examples/sample-client.c -I. -I /usr/include/sasl -lsasl2
  gcc -o sample-server /usr/share/doc/libsasl2-dev/examples/sample-server.c -I. -I /usr/include/sasl -lsasl2
    • in one terminal (as root, on the server):
export KRB5_KTNAME=/etc/ldap/ldap-host.keytab
./sample-server.strace ./sample-server -s ldap
    • in another terminal (on the client):
kinit <user>
./sample-client -s ldap -n <fqdn> -u <user>
    • crosspaste the S: and C: lines
    • do yourself a favour and do not continue unless you made the negotiation work (it makes sure that everything you need regarding sasl/kerberos is set up correctly).
  • edit /etc/defaults/slapd and add the line
export KRB5_KTNAME=/etc/ldap/ldap-host.keytab
  • edit /etc/slapd.conf and add the lines
sasl-realm              <REALM>
sasl-host               <fqdn>
    • restart slapd
  • try ldapwhoami -Y GSSAPI
    • you should get a message indicating success with:
"dn:uid=<user>,cn=<realm>,cn=gssapi,cn=auth"
  • now, depending on your ldap setup, add something along the lines of
saslRegexp    uid=(.*),cn=(.*),cn=gssapi,cn=auth ldap:///ou=Users,o=organisation,c=org?sub?uid=$1
    • this will make ldap map the <user> part of <user>@<REALM> to a posixAccount uid found below ou=Users,o=organisation,c=org
    • you could use $2 to also map the realm accordingly.
    • restart slapd
  • get a ticket and look what you have here:
kinit <user>
ldapwhoami -Y GSSAPI should tell you your correct dn.
  • if you want to always use GSSAPI, put the line
mech_list: GSSAPI
    • in the file /usr/lib/sasl2/slapd.conf - no, thats NOT a typo.
Abgerufen von „https://metalab.at/wiki/index.php?title=Benutzer:Philip/Kerberos_and_LDAP&oldid=16209