Re: [Freeipa-users] bind-dyndb-ldap: using keytabs for auth to ldap
On 1.4.2014 21:51, Brendan Kearney wrote: No, it is not. http://port389.org/wiki/History ok then. still, i am trying to learn the individual pieces and get them working together. Okay then. I'm attaching SASL mapping configuration we use in FreeIPA. You can read all the gory details on https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/SASL.html Please let us know what configuration works for your with OpenLDAP so we can add this information to bind-dyndb-ldap docs or wiki. Have a nice day! -- Petr^2 Spacek version: 1 dn: cn=mapping,cn=sasl,cn=config objectClass: nsContainer objectClass: top cn: mapping dn: cn=Full Principal,cn=mapping,cn=sasl,cn=config objectClass: nsSaslMapping objectClass: top cn: Full Principal nsSaslMapBaseDNTemplate: dc=ipa,dc=example nsSaslMapFilterTemplate: (krbPrincipalName=\1@\2) nsSaslMapRegexString: \(.*\)@\(.*\) nsSaslMapPriority: 10 dn: cn=Name Only,cn=mapping,cn=sasl,cn=config objectClass: nsSaslMapping objectClass: top cn: Name Only nsSaslMapBaseDNTemplate: dc=ipa,dc=example nsSaslMapFilterTemplate: (krbPrincipalName=@IPA.EXAMPLE) nsSaslMapRegexString: ^[^:@]+$ nsSaslMapPriority: 10 ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] bind-dyndb-ldap: using keytabs for auth to ldap
Hello!
On 1.4.2014 16:17, Brendan Kearney wrote:
What plugin version you use? bind-dyndb-ldap-4.1-1.fc20.x86_64
Before I dive into details, please read about the following bug:
https://fedorahosted.org/bind-dyndb-ldap/ticket/134
I just found it, fixed it and I'm attaching patch for you so you don't need to
wait for a new release :-)
Do you use bind-dyndb-ldap as part of ​FreeIPA installation? no, using
openldap-servers-2.4.39-2.fc20.x86_64
Please provide dynamic-db section from configuration
file /etc/named.conf
dynamic-db bpk2.com {
library ldap.so;
arg uri ldap://127.0.0.1/;;
arg base cn=dns,dc=bpk2,dc=com;
arg auth_method simple;
arg bind_dn cn=Manager,dc=bpk2,dc=com;
arg password ***REMOVED***;
arg sync_ptr yes;
arg dyn_update yes;
arg connections 2;
arg verbose_checks yes;
};
i want to use bind-dyndb-ldap with keytabs against my directory. i have
created the principal DNS/test.bpk2@bpk2.com, and can have created
the keytab file. what i want to know is:
what ldap object should i create to match up against the kerberos
principal?
i have to grant access to the ldap tree, so what ID will be presented to
ldap when using the keytab?
This is up to your LDAP server implementation. Bind-dyndb-ldap just calls SASL
and Kerberos libraries. The plugin itself is not aware of any principal-DN
mapping.
am i able to use the sasl_username without the sasl_password to
establish that?
sasl_username defaults to DNS/$(hostname) so usually it is not necessary to
specify it explicitly. (It should match your Kerberos principal.)
being that i want to use a keytab, the username would be in there,
correct?
when i list the keys in the keytab, there is a PRIMARY, an INSTANCE and
a REALM (DNS/test.bpk2@bpk2.com). is the PRIMARY (DNS) or the
INSTANCE (test.bpk2.com) what has to be linked in ldap to the kerberos
identity?
Your LDAP server will get the whole principal and it is up to the server how
it will map it to some existing entity.
do i need a specific olcAuthzRegexp to massage the kerberos ID into a
proper ldap DN, like i am doing already for my ID? example:
{0}uid=([^,]*),cn=bpk2.com,cn=gssapi,cn=auth uid=
$1,ou=Users,dc=bpk2,dc=com
I have no idea, I have never configured this in OpenLDAP. Please let us know
what configuration worked for you so we have the information in mailing list
archives. Thanks!
i am running n-way multi master ldap. does the uri directive support
more than one value (ldap://ldap1.bpk2.com ldap://ldap2.bpk2.com)?
Unfortunately no, it is not supported. The usual recommendation is to
configure one DNS server on one LDAP server for redundancy.
can the SRV records be used to point the uri directive at the ldap
servers by querying for them? ha, thats a-chicken-and-the-egg topic,
but an interesting one...
That is an interesting idea but SRV lookups are not supported.
i am assuming my named.conf will change to include:
BTW documentation about named.conf syntax is in README:
https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README
arg uri ldap://ldap1.bpk2.com/ ldap://ldap2.bpk2.com;;
^ This is not supported. Please pick just one LDAP server.
arg auth_method sasl;
^ This is correct.
arg sasl_mech GSSAPI;
^ This is default.
arg krb5_keytab FILE:/etc/named.keytab;
^ This is default.
is there anything else obvious that i am missing?
It should be enough if you configure your LDAP server accordingly.
Let us know if you encounter any problem.
BTW did you see FreeIPA project? It integrates LDAP+Kerberos with management
tools and nice user interface and solver Microsoft AD integration.
Maybe it could save you some headaches ...
--
Petr^2 Spacek
From 644d8e4d66107bd081dd0023f5b44d1c176861be Mon Sep 17 00:00:00 2001
From: Petr Spacek pspa...@redhat.com
Date: Tue, 1 Apr 2014 18:38:35 +0200
Subject: [PATCH] Fix record parsing to prevent child zone corruption.
Child zone hosted on the same server as parent zone was
corrupted by bug in update_record().
Child zone's apex was modified by update_records()
intead of delegation records in the parent zone.
https://fedorahosted.org/bind-dyndb-ldap/ticket/134
Signed-off-by: Petr Spacek pspa...@redhat.com
---
NEWS | 6 ++
src/ldap_helper.c | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/NEWS b/NEWS
index d997df58dca5b77d84c0fafa2757cf49e15f7d65..e787e7f2d73e3e99d3d5c0d03b9ea92dff75b510 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,9 @@
+4.2
+
+[1] Record parsing was fixed to prevent child-zone data corruption in cases
+where parent zone example.com was hosted on the same server as child zone
+sub.example.com. (This bug was introduced in version 4.0.)
+
4.1
[1] Fix few minor bugs in error handling found by static code analyzers.
diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index
Re: [Freeipa-users] bind-dyndb-ldap: using keytabs for auth to ldap
Hello! Before I dive into details, please read about the following bug: https://fedorahosted.org/bind-dyndb-ldap/ticket/134 I just found it, fixed it and I'm attaching patch for you so you don't need to wait for a new release :-) thanks, but i am not sure how to apply patches. Your LDAP server will get the whole principal and it is up to the server how it will map it to some existing entity. what do you do on the IPA side? did you follow some best practice? i am trying not to reinvent the wheel. BTW documentation about named.conf syntax is in README: https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README as well as in the package. i did consult the doc. Let us know if you encounter any problem. certainly will. BTW did you see FreeIPA project? It integrates LDAP+Kerberos with management tools and nice user interface and solver Microsoft AD integration. Maybe it could save you some headaches ... not a big fan of 389, as it is a fork of openldap, though RH has done some nifty things with it (dogtag, IPA, etc). i am a bit of a purist, thats all. also, this is a learning exercise for me. i am trying to understand the inner workings of each of the pieces and see how they interoperate with each other. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] bind-dyndb-ldap: using keytabs for auth to ldap
On 04/01/2014 01:34 PM, Brendan Kearney wrote: Hello! Before I dive into details, please read about the following bug: https://fedorahosted.org/bind-dyndb-ldap/ticket/134 I just found it, fixed it and I'm attaching patch for you so you don't need to wait for a new release :-) thanks, but i am not sure how to apply patches. Your LDAP server will get the whole principal and it is up to the server how it will map it to some existing entity. what do you do on the IPA side? did you follow some best practice? i am trying not to reinvent the wheel. BTW documentation about named.conf syntax is in README: https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README as well as in the package. i did consult the doc. Let us know if you encounter any problem. certainly will. BTW did you see FreeIPA project? It integrates LDAP+Kerberos with management tools and nice user interface and solver Microsoft AD integration. Maybe it could save you some headaches ... not a big fan of 389, as it is a fork of openldap, No, it is not. http://port389.org/wiki/History though RH has done some nifty things with it (dogtag, IPA, etc). i am a bit of a purist, thats all. also, this is a learning exercise for me. i am trying to understand the inner workings of each of the pieces and see how they interoperate with each other. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] bind-dyndb-ldap: using keytabs for auth to ldap
No, it is not. http://port389.org/wiki/History ok then. still, i am trying to learn the individual pieces and get them working together. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
