我正在寻找如何将GSSAPI支持添加到我的OpenLDAP中?
当前设置
- MIT Kerberos V + OpenLDAP
- Kerberos bind to openldap
- Able to issue kerberos tickets to my users (with kinit exampluser)
- Able to ldapsearch -x uid=exampluser
Openldap方面
- server% ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms
- ldap_start_tls: Protocol error (2)
- additional info: unsupported extended operation
- dn:
- supportedSASLMechanisms: DIGEST-MD5
- supportedSASLMechanisms: EXTERNAL
- supportedSASLMechanisms: CRAM-MD5
- supportedSASLMechanisms: NTLM
- supportedSASLMechanisms: LOGIN
- supportedSASLMechanisms: PLAIN
客户端
- client% ldapsearch uid=exampleuser
- SASL/GSSAPI authentication started
- ldap_sasl_interactive_bind_s: Authentication method not supported (7)
- additional info: SASL(-4): no mechanism available: Couldn't find mech GSSAPI
客户端ldap.conf
- #
- # LDAP Defaults
- #
- # See ldap.conf(5) for details
- # This file should be world readable but not world writable.
- BASE dc=example,dc=com
- URI ldap://ldap.example.com
- SASL_MECH GSSAPI
显然,错误很明显足以解释我的ldap请求没有找到auth的机制.
我已经通过了许多教程,解释,但仍然无法找到任何地方如何“添加”该机制.
感谢What is SASL/GSSAPI?所有令人敬畏的解释.
已更新为用户473183469
我已经为ldap生成了一个keytab,我已经在/etc/ldap/ldap.keytab中复制了,并根据https://help.ubuntu.com/community/SingleSignOn编辑了/ etc / default / slapd,要求取消注释并给出导出KRB5_KTNAME的路径= /等/ LDAP / ldap.keytab
那个ldap keytab是这样生成的
- kadmin: addprinc -randkey ldap/ldap.example.com@EXAMPLE.COM
- kadmin: ktadd -k ~/ldap.keytab ldap/ldap.example.com@EXAMPLE.COM
我还有一个在安装开始时创建的/etc/krb5.keytab
- kadmin.local: listprincs
- admin@EXAMPLE.COM
- K/M@EXAMPLE.COM
- krbtgt/EXAMPLE.COM@EXAMPLE.COM
- kadmin/admin@EXAMPLE.COM
- kadmin/changepw@EXAMPLE.COM
- kadmin/history@EXAMPLE.COM
- kadmin/kdc.example.com@EXAMPLE.COM
- user1@example.com (also in the ldap,can issue a ticket and everything)
- user2@example.com (same for him)
- ldap/ldap.example.com@EXAMPLE.COM
ktutil结果
- # ktutil
- ktutil: read_kt /etc/ldap.keytab
- ktutil: list
- slot KVNO Principal
- ---- ---- ---------------------------------------------------------------------
- 1 2 ldap/ldap.example.com@EXAMPLE.COM
- 2 2 ldap/ldap.example.com@EXAMPLE.COM
- 3 2 ldap/ldap.example.com@EXAMPLE.COM
- 4 2 ldap/ldap.example.com@EXAMPLE.COM
- ktutil: read_kt /etc/krb5.keytab
- ktutil: list
- slot KVNO Principal
- ---- ---- ---------------------------------------------------------------------
- 1 2 ldap/ldap.example.com@EXAMPLE.COM
- 2 2 ldap/ldap.example.com@EXAMPLE.COM
- 3 2 ldap/ldap.example.com@EXAMPLE.COM
- 4 2 ldap/ldap.example.com@EXAMPLE.COM
- 5 2 kadmin/kdc.example.com@EXAMPLE.COM
- 6 2 kadmin/kdc.example.com@EXAMPLE.COM
- 7 2 kadmin/kdc.example.com@EXAMPLE.COM
- 8 2 kadmin/kdc.example.com@EXAMPLE.COM
您需要更改slapd的sasl配置,通常是/etc/sasl2/slapd.conf,以包含gssapi.
例如:
- mech_list: external gssapi plain
- pwcheck_method: saslauthd
之后你需要重启slapd.
