Re: [Freeipa-users] bind-dyndb-ldap: using keytabs for auth to ldap
On 1.4.2014 21:51, Brendan Kearney wrote: No, it is not. http://port389.org/wiki/History ok then. still, i am trying to learn the individual pieces and get them working together. Okay then. I'm attaching SASL mapping configuration we use in FreeIPA. You can read all the gory details on https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/SASL.html Please let us know what configuration works for your with OpenLDAP so we can add this information to bind-dyndb-ldap docs or wiki. Have a nice day! -- Petr^2 Spacek version: 1 dn: cn=mapping,cn=sasl,cn=config objectClass: nsContainer objectClass: top cn: mapping dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config objectClass: nsSaslMapping objectClass: top cn: Full Principal nsSaslMapBaseDNTemplate: dc=ipa,dc=example nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2) nsSaslMapRegexString: \(.*\)@\(.*\) nsSaslMapPriority: 10 dn: cn=Name Only,cn=mapping,cn=sasl,cn=config objectClass: nsSaslMapping objectClass: top cn: Name Only nsSaslMapBaseDNTemplate: dc=ipa,dc=example nsSaslMapFilterTemplate: (krbPrincipalName=&@IPA.EXAMPLE) nsSaslMapRegexString: ^[^:@]+$ nsSaslMapPriority: 10 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] bind-dyndb-ldap: using keytabs for auth to ldap
> No, it is not. > http://port389.org/wiki/History ok then. still, i am trying to learn the individual pieces and get them working together. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] bind-dyndb-ldap: using keytabs for auth to ldap
On 04/01/2014 01:34 PM, Brendan Kearney wrote: Hello! Before I dive into details, please read about the following bug: https://fedorahosted.org/bind-dyndb-ldap/ticket/134 I just found it, fixed it and I'm attaching patch for you so you don't need to wait for a new release :-) thanks, but i am not sure how to apply patches. Your LDAP server will get the whole principal and it is up to the server how it will map it to some existing entity. what do you do on the IPA side? did you follow some best practice? i am trying not to reinvent the wheel. BTW documentation about named.conf syntax is in README: https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README as well as in the package. i did consult the doc. Let us know if you encounter any problem. certainly will. BTW did you see FreeIPA project? It integrates LDAP+Kerberos with management tools and nice user interface and solver Microsoft AD integration. Maybe it could save you some headaches ... not a big fan of 389, as it is a fork of openldap, No, it is not. http://port389.org/wiki/History though RH has done some nifty things with it (dogtag, IPA, etc). i am a bit of a purist, thats all. also, this is a learning exercise for me. i am trying to understand the inner workings of each of the pieces and see how they interoperate with each other. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] bind-dyndb-ldap: using keytabs for auth to ldap
> Hello! > Before I dive into details, please read about the following bug: > https://fedorahosted.org/bind-dyndb-ldap/ticket/134 > > I just found it, fixed it and I'm attaching patch for you so you don't need > to > wait for a new release :-) thanks, but i am not sure how to apply patches. > Your LDAP server will get the whole principal and it is up to the server how > it will map it to some existing entity. what do you do on the IPA side? did you follow some best practice? i am trying not to reinvent the wheel. > BTW documentation about named.conf syntax is in README: > https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README as well as in the package. i did consult the doc. > Let us know if you encounter any problem. certainly will. > BTW did you see FreeIPA project? It integrates LDAP+Kerberos with management > tools and nice user interface and solver Microsoft AD integration. > > Maybe it could save you some headaches ... not a big fan of 389, as it is a fork of openldap, though RH has done some nifty things with it (dogtag, IPA, etc). i am a bit of a purist, thats all. also, this is a learning exercise for me. i am trying to understand the inner workings of each of the pieces and see how they interoperate with each other. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] bind-dyndb-ldap: using keytabs for auth to ldap
Hello! On 1.4.2014 16:17, Brendan Kearney wrote: What plugin version you use? bind-dyndb-ldap-4.1-1.fc20.x86_64 Before I dive into details, please read about the following bug: https://fedorahosted.org/bind-dyndb-ldap/ticket/134 I just found it, fixed it and I'm attaching patch for you so you don't need to wait for a new release :-) Do you use bind-dyndb-ldap as part of ​FreeIPA installation? no, using openldap-servers-2.4.39-2.fc20.x86_64 Please provide dynamic-db section from configuration file /etc/named.conf dynamic-db "bpk2.com" { library "ldap.so"; arg "uri ldap://127.0.0.1/";; arg "base cn=dns,dc=bpk2,dc=com"; arg "auth_method simple"; arg "bind_dn cn=Manager,dc=bpk2,dc=com"; arg "password ***REMOVED***"; arg "sync_ptr yes"; arg "dyn_update yes"; arg "connections 2"; arg "verbose_checks yes"; }; i want to use bind-dyndb-ldap with keytabs against my directory. i have created the principal DNS/test.bpk2@bpk2.com, and can have created the keytab file. what i want to know is: what ldap object should i create to match up against the kerberos principal? i have to grant access to the ldap tree, so what ID will be presented to ldap when using the keytab? This is up to your LDAP server implementation. Bind-dyndb-ldap just calls SASL and Kerberos libraries. The plugin itself is not aware of any principal<->DN mapping. am i able to use the sasl_username without the sasl_password to establish that? sasl_username defaults to "DNS/$(hostname)" so usually it is not necessary to specify it explicitly. (It should match your Kerberos principal.) being that i want to use a keytab, the username would be in there, correct? when i list the keys in the keytab, there is a PRIMARY, an INSTANCE and a REALM (DNS/test.bpk2@bpk2.com). is the PRIMARY (DNS) or the INSTANCE (test.bpk2.com) what has to be linked in ldap to the kerberos identity? Your LDAP server will get the whole principal and it is up to the server how it will map it to some existing entity. do i need a specific olcAuthzRegexp to massage the kerberos ID into a proper ldap DN, like i am doing already for my ID? example: {0}uid=([^,]*),cn=bpk2.com,cn=gssapi,cn=auth uid= $1,ou=Users,dc=bpk2,dc=com I have no idea, I have never configured this in OpenLDAP. Please let us know what configuration worked for you so we have the information in mailing list archives. Thanks! i am running n-way multi master ldap. does the uri directive support more than one value (ldap://ldap1.bpk2.com ldap://ldap2.bpk2.com)? Unfortunately no, it is not supported. The usual recommendation is to configure one DNS server on one LDAP server for redundancy. can the SRV records be used to point the uri directive at the ldap servers by querying for them? ha, thats a-chicken-and-the-egg topic, but an interesting one... That is an interesting idea but SRV lookups are not supported. i am assuming my named.conf will change to include: BTW documentation about named.conf syntax is in README: https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README arg "uri ldap://ldap1.bpk2.com/ ldap://ldap2.bpk2.com";; ^ This is not supported. Please pick just one LDAP server. arg "auth_method sasl"; ^ This is correct. arg "sasl_mech GSSAPI"; ^ This is default. arg "krb5_keytab FILE:/etc/named.keytab"; ^ This is default. is there anything else obvious that i am missing? It should be enough if you configure your LDAP server accordingly. Let us know if you encounter any problem. BTW did you see FreeIPA project? It integrates LDAP+Kerberos with management tools and nice user interface and solver Microsoft AD integration. Maybe it could save you some headaches ... -- Petr^2 Spacek From 644d8e4d66107bd081dd0023f5b44d1c176861be Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Tue, 1 Apr 2014 18:38:35 +0200 Subject: [PATCH] Fix record parsing to prevent child zone corruption. Child zone hosted on the same server as parent zone was corrupted by bug in update_record(). Child zone's apex was modified by update_records() intead of delegation records in the parent zone. https://fedorahosted.org/bind-dyndb-ldap/ticket/134 Signed-off-by: Petr Spacek --- NEWS | 6 ++ src/ldap_helper.c | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index d997df58dca5b77d84c0fafa2757cf49e15f7d65..e787e7f2d73e3e99d3d5c0d03b9ea92dff75b510 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,9 @@ +4.2 + +[1] Record parsing was fixed to prevent child-zone data corruption in cases +where parent zone example.com was hosted on the same server as child zone +sub.example.com. (This bug was introduced in version 4.0.) + 4.1 [1] Fix few minor bugs in error handling found by static code analyzers. diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 05951fccbc655aef20177ea4a905159