Hi all,
I tested GSSAPI auth with a samba-4.1.2 active directory server.
There are a few file to edit:
1) create a ./etc/gsseg_jaas.conf with the following:
/**
* Login Configuration for JAAS.
*
*/
org.lsc.jndi.JndiServices {
com.sun.security.auth.module.Krb5LoginModule required client=TRUE;
};
2) soft-link your krb5.conf to ./etc/krb5.ini (ln -s /etc/krb5.conf
./etc/krb5.ini)
3) edit ./bin/lsc:
insert the line:
JAVA_OPTS="$JAVA_OPTS -Djavax.security.auth.useSubjectCredsOnly=false"
before the line in which lsc is launched, for instance:
[...]
JAVA_OPTS="$JAVA_OPTS -Djavax.security.auth.useSubjectCredsOnly=false"
build_classpath
build_parameters
"${JAVA_COMMAND}" $JAVA_OPTS -cp "$CLASSPATH" org.lsc.Launcher $PARAMETERS
[...]
4) modify lsc.xml <ldapConnection>:
<ldapConnection>
<name>adsamba4-conn</name>
<url>ldaps://pdc.example.org:636/dc=ad,dc=example,dc=org</url>
<username>[email protected]</username>
<password>not_really</password>
<authentication>GSSAPI</authentication>
<referral>IGNORE</referral>
<derefAliases>NEVER</derefAliases>
<version>VERSION_3</version>
<pageSize>1000</pageSize>
<factory>com.sun.jndi.ldap.LdapCtxFactory</factory>
<tlsActivated>false</tlsActivated>
</ldapConnection>
please note the username is in kerberos style. It is not a dn. Please
remember to type realm UPPERCASE.
5) either kinit [email protected] or load principal from keytab
6) run command as usual.
Strangely lsc works with GSSAPI/LDAPS, while ldapsearch does not. If I run
ldapsearch -Y GSSAPI -H ldaps://pdc.example.org:636 -b
dc=ad,dc=example,dc=org 'cn=jsmith'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Server is unwilling to perform (53)
additional info: SASL:[GSSAPI]: Sign or Seal are not allowed if TLS is
used
But I don't face this issue with lsc. Good.
ciao,
Francesco
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org
lsc-users mailing list
[email protected]
http://lists.lsc-project.org/listinfo/lsc-users
