Hello all,
I'm trying to set up openldap to authenticate using my kerberos
service, but I'm not having success so far. I've already set up MIT
Kerberos V and I can successfully get tickets from it:
r...@filesystem:~# kinit diego.lima
Password for diego.l...@users:
r...@filesystem:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: diego.l...@users
Valid starting Expires Service principal
06/23/10 09:44:49 06/23/10 19:44:49 krbtgt/us...@users
renew until 06/24/10 09:44:46
I've also set up SASL to use the kerberos5 auth mechanism and it seems to work:
r...@filesystem:~# testsaslauthd -u diego.l...@users -p 123456
0: OK "Success."
The saslauthd output looks like this:
saslauthd[28383] :rel_accept_lock : released accept lock
saslauthd[28385] :get_accept_lock : acquired accept lock
saslauthd[28383] :do_auth : auth success:
[user=diego.l...@users] [service=imap] [realm=] [mech=kerberos5]
saslauthd[28383] :do_request : response: OK
I've set up my user account on LDAP like this:
dn: krbprincipalname=diego.l...@users,cn=USERS,dc=domain,dc=com,dc=br
krbPrincipalName: diego.l...@users
krbPrincipalKey:: (big key)
krbLastPwdChange: 20100622215607Z
objectClass: krbPrincipal
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
objectClass: posixAccount
structuralObjectClass: krbPrincipal
entryUUID: b4d16a7a-1294-102f-8f9b-2759be64cd18
creatorsName: cn=admin,dc=domain,dc=com,dc=br
createTimestamp: 20100622215607Z
uid: diego.lima
uidNumber: 10001
gidNumber: 10001
cn: diego.lima
homeDirectory: /home/diego.lima
loginShell: /bin/bash
userPassword:: e1NBU0x9ZGllZ28ubGltYUBVU0VSUw==
krbLastSuccessfulAuth: 20100623124649Z
krbLoginFailedCount: 0
krbExtraData:: (data)
krbExtraData:: (data)
entryCSN: 20100623124649.354631Z#000000#000#000000
modifiersName: cn=admin,dc=domain,dc=com,dc=br
modifyTimestamp: 20100623124649Z
The userPassword value translates to {sasl}diego.l...@users
When I try to do an authenticated search on LDAP I see the following:
# ldapsearch -D
krbprincipalname=diego.l...@users,cn=USERS,dc=domain,dc=com,dc=br -b
dc=domain,dc=com,dc=br '(objectClass=*)' -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
And on the slapd output:
daemon: activity on 1 descriptor
daemon: activity on:
slap_listener_activate(7):
daemon: epoll: listen=7 busy
daemon: epoll: listen=8 active_threads=0 tvp=zero
>>> slap_listener(ldap:///)
daemon: listen=7, new connection on 18
daemon: added 18r (active) listener=(nil)
conn=35 fd=18 ACCEPT from IP=127.0.1.1:51089 (IP=0.0.0.0:389)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 18r
daemon: read active on 18
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(18)
connection_get(18): got connid=35
connection_read(18): checking for input on id=35
ber_get_next
ldap_read: want=8, got=8
0000: 30 53 02 01 01 60 4e 02 0S...`N.
ldap_read: want=77, got=77
0000: 01 03 04 41 6b 72 62 50 72 69 6e 63 69 70 61 6c ...AkrbPrincipal
0010: 4e 61 6d 65 3d 64 69 65 67 6f 2e 6c 69 6d 61 40 Name=diego.lima@
0020: 55 53 45 52 53 2c 63 6e 3d 55 53 45 52 53 2c 64 USERS,cn=USERS,d
0030: 63 3d 34 6c 69 6e 75 78 2c 64 63 3d 63 6f 6d 2c c=domain,dc=com,
0040: 64 63 3d 62 72 80 06 31 32 33 34 35 36 dc=br..123456
ber_get_next: tag 0x30 len 83 contents:
ber_dump: buf=0x1cc73d0 ptr=0x1cc73d0 end=0x1cc7423 len=83
0000: 02 01 01 60 4e 02 01 03 04 41 6b 72 62 50 72 69 ...`N....AkrbPri
0010: 6e 63 69 70 61 6c 4e 61 6d 65 3d 64 69 65 67 6f ncipalName=diego
0020: 2e 6c 69 6d 61 40 55 53 45 52 53 2c 63 6e 3d 55 .l...@users,cn=U
0030: 53 45 52 53 2c 64 63 3d 34 6c 69 6e 75 78 2c 64 SERS,dc=domain,d
0040: 63 3d 63 6f 6d 2c 64 63 3d 62 72 80 06 31 32 33 c=com,dc=br..123
0050: 34 35 36 456
op tag 0x60, time 1277298275
ber_get_next
ldap_read: want=8 error=Resource temporarily unavailable
conn=35 op=0 do_bind
ber_scanf fmt ({imt) ber:
ber_dump: buf=0x1cc73d0 ptr=0x1cc73d3 end=0x1cc7423 len=80
0000: 60 4e 02 01 03 04 41 6b 72 62 50 72 69 6e 63 69 `N....AkrbPrinci
0010: 70 61 6c 4e 61 6d 65 3d 64 69 65 67 6f 2e 6c 69 palName=diego.li
0020: 6d 61 40 55 53 45 52 53 2c 63 6e 3d 55 53 45 52 m...@users,cn=USER
0030: 53 2c 64 63 3d 34 6c 69 6e 75 78 2c 64 63 3d 63 S,dc=domain,dc=c
0040: 6f 6d 2c 64 63 3d 62 72 80 06 31 32 33 34 35 36 om,dc=br..123456
ber_scanf fmt (m}) ber:
ber_dump: buf=0x1cc73d0 ptr=0x1cc741b end=0x1cc7423 len=8
0000: 00 06 31 32 33 34 35 36 ..123456
>>> dnPrettyNormal:
>>> <krbprincipalname=diego.l...@users,cn=USERS,dc=domain,dc=com,dc=br>
=>
ldap_bv2dn(krbprincipalname=diego.l...@users,cn=USERS,dc=domain,dc=com,dc=br,0)
<=
ldap_bv2dn(krbprincipalname=diego.l...@users,cn=USERS,dc=domain,dc=com,dc=br)=0
=> ldap_dn2bv(272)
<=
ldap_dn2bv(krbprincipalname=diego.l...@users,cn=USERS,dc=domain,dc=com,dc=br)=0
=> ldap_dn2bv(272)
<=
ldap_dn2bv(krbprincipalname=diego.l...@users,cn=users,dc=domain,dc=com,dc=br)=0
<<< dnPrettyNormal:
<krbprincipalname=diego.l...@users,cn=USERS,dc=domain,dc=com,dc=br>,
<krbprincipalname=diego.l...@users,cn=users,dc=domain,dc=com,dc=br>
conn=35 op=0 BIND
dn="krbprincipalname=diego.l...@users,cn=USERS,dc=domain,dc=com,dc=br"
method=128
do_bind: version=3
dn="krbprincipalname=diego.l...@users,cn=USERS,dc=domain,dc=com,dc=br"
method=128
==> hdb_bind: dn:
krbprincipalname=diego.l...@users,cn=USERS,dc=domain,dc=com,dc=br
bdb_dn2entry("krbprincipalname=diego.l...@users,cn=users,dc=domain,dc=com,dc=br")
=> access_allowed: auth access to
"krbprincipalname=diego.l...@users,cn=USERS,dc=domain,dc=com,dc=br"
"userPassword" requested
=> acl_get: [1] attr userPassword
=> slap_access_allowed: result not in cache (userPassword)
=> acl_mask: access to entry
"krbprincipalname=diego.l...@users,cn=USERS,dc=domain,dc=com,dc=br",
attr "userPassword" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: cn=admin,dc=domain,dc=com,dc=br
<= check a_dn_pat: anonymous
<= acl_mask: [2] applying auth(=xd) (stop)
<= acl_mask: [2] mask: auth(=xd)
=> slap_access_allowed: auth access granted by auth(=xd)
=> access_allowed: auth access granted by auth(=xd)
SASL Canonicalize [conn=35]: authcid="diego.l...@users"
SASL Canonicalize [conn=35]: authcid="diego.l...@users"
send_ldap_result: conn=35 op=0 p=3
send_ldap_result: err=49 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=49
ber_flush2: 14 bytes to sd 18
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
ldap_write: want=14, written=14
0000: 30 0c 02 01 01 61 07 0a 01 31 04 00 04 00 0....a...1....
conn=35 op=0 RESULT tag=97 err=49 text=
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
daemon: activity on 1 descriptor
daemon: activity on: 18r
daemon: read active on 18
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
connection_get(18)
connection_get(18): got connid=35
connection_read(18): checking for input on id=35
ber_get_next
ldap_read: want=8, got=0
ber_get_next on fd 18 failed errno=0 (Success)
connection_read(18): input error=-2 id=35, closing.
connection_closing: readying conn=35 sd=18 for close
connection_close: conn=35 sd=18
daemon: removing 18
conn=35 fd=18 closed (connection lost)
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=zero
daemon: epoll: listen=8 active_threads=0 tvp=zero
I see nothing on the saslauthd output when I try to log in. Did I miss
anything? Please note that I'm trying to use the same kerberos
principal as my user, and this is intended. I did try adding another
user (account and posixAccount objectClasses) with a separate kerberos
principal and that did not work either.
Lastly, here is my slapd.conf:
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/kerberos.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel none
modulepath /usr/lib/ldap
moduleload back_hdb
sizelimit 500
tool-threads 1
backend hdb
database hdb
suffix "dc=domain,dc=com,dc=br"
rootdn "cn=admin,dc=domain,dc=com,dc=br"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
access to attrs=userPassword,shadowLastChange,krbPrincipalKey,krbLastPwdChange
by dn="cn=admin,dc=domain,dc=com,dc=br" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by dn="cn=admin,dc=domain,dc=com,dc=br" write
by * read
Thanks for the help!
--
Diego Lima
