Hi again,
It seems that now the ldap-bindmethod is being correctly retrieved by the pdns
service. I had to add to the /etc/openldap/ldap.conf the following parameter:
SASL_MECH GSSAPI
Once added, the service, although does not start yet, logs the following:
Creating backend connection for TCP
[LdapBackend] LDAP Servers = ldaps://server.example.com
Conn=1543 fd=38 ACCEPT from IP=10.1.1.15:33668 (IP=10.1.1.15:636)
Conn=1543 fd=38 TLS established tls_ssf=256 ssf=256
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information
(No Kerberos credentials available (default cache: /tmp/krb5cc_0) )
[LDAP GSSAPI] ldap_sasl_interactive_bind_s returned -2
[LDAP GSSAPI] No TGT found, trying to acquire a new one
[LDAP GSSAPI] krb5 error when getting the TGT: Address family not supported by
protocol
If you have some ideas about this issue, a little bit of light would be really
appreciated. I've checked everything and none of the addresses or hostnames
points to a ipv6 address.
Thank you so much for all the help provided
Regards.
-----Mensaje original-----
De: Dario García Díaz-Miguel
Enviado el: viernes, 19 de febrero de 2021 8:10
Para: pdns-users@mailman.powerdns.com
CC: skmf_support <skmf_supp...@gmv.com>
Asunto: RE: Fatal Error: Trying to set unknown parameter 'ldap-authmethod'
Hi Mark,
Thank you so much for your reply, really, really appreciated.
I changed the property to ldap-bindmethod. Now there's no fatal error anymore
and the service starts correctly, but it seems that is not correctly being used.
ldap-bindmethod=gssapi
ldap-krb5-keytab=/etc/pdns.keytab
[...]
TLS established tls_ssf=256 ssf=256
[...]
[LdapBackend] Ldap connection to server failed: Failed to bind to LDAP server:
Unknown Authentication method.
Caught an exception instantiating a backend: Unable to connect to ldap server.
TCP Server is unable to launch backends - will try again when questions come
in: Unable to connect to ldap server
[...]
GSSAPI is working correctly on my server:
# kinit -k -t /etc/pdns.keytab pdns/server.example.com
# ldapwhoami -Y GSSAPI -H ldaps://server.example.com
SASL/GSSAPI authentication started
SASL username:pdns/server.example.com
SASL SSF:56
SASL data security layer installed.
dn: uid=pdns/server.example.com,dc=example,dc=com
I've tried to read the code to find if gssapi is not the correct value to use
but I could not find the code file with this excerpt. If you prefer, you can
tell me where did you find it and I will look for it by myself.
All help with this would be so much appreciated since GSSAPI is required for us.
Thank you so much.
Kind Regards.
Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com
> -----Original Message-----
> From: Pdns-users <pdns-users-bounces at mailman.powerdns.com> On Behalf Of
> Mark Nejedlo via Pdns-users
> Sent: Thursday, February 19, 2021 01:02 AM
> To: pdns-users at mailman.powerdns.com
> Subject: [Pdns-users] Fatal Error: Trying to set unknown parameter
> 'ldap-authmethod'
>
> If I'm reading the source correctly (questionable), it looks like it should
> be "ldap-bindmethod".
> Mark
-----Mensaje original-----
De: Dario García Díaz-Miguel
Enviado el: jueves, 18 de febrero de 2021 15:18
Para: pdns-users@mailman.powerdns.com
CC: skmf_support <skmf_supp...@gmv.com>
Asunto: Fatal Error: Trying to set unknown parameter 'ldap-authmethod'
Hi,
I've deployed today pdns for the first time and I found an issue I don't know
how to solve, so I write over here to claim for some help.
When I configure the ldap backend as shown below:
launch=ldap
ldap-host=ldaps://example.example.com
ldap-binddn=cn=Administrator,dc=gcc1,dc=kmf,dc=com
ldap-secret=secret
ldap-basedn=ou=Hosts,dc=example,dc=com
ldap-method=strict
It works flawlessly.
But If I try to use gssapi according to the pdns documentation... launch=ldap
ldap-host=ldaps://example.example.com
ldap-authmethod=gssapi
ldap-krb5-keytab=/etc/pdns.keytab
ldap-basedn=ou=Hosts,dc=example,dc=com
ldap-method=strict
I get the following error trying to start the service:
Fatal Error: Trying to set unknown parameter 'ldap-authmethod'
According to the official Documentation:
"""ldap-authmethod
(default: "simple") : How to authenticate to the LDAP server. Actually only two
methods are supported: "simple", which uses the classical DN / password, or
"gssapi", which requires a Kerberos keytab. """
The keytab exists and has pdns permissions for pdns user.
The principal exists and is the only key stored on that keytab.
I've deployed the last SUSE 15 official repository version:
- pdns-4.3.1-bp152.2.5.1.x86_64.rpm
- pdns-backend-ldap-4.3.1-bp152.2.5.1.x86_64.rpm
- pdns-common-4.0-bp152.3.16.noarch.rpm
It seems that this property does not exists for this pdns version, but I think
that gssapi support was added for the 4.1 version which is previous than this.
Some help would be really appreciated.
Thank you so much.
Kind Regards.
P Please consider the environment before printing this e-mail.
P Please consider the environment before printing this e-mail.
_______________________________________________
Pdns-users mailing list
Pdns-users@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/pdns-users
