Meu domínio kerberos em MYEXAMPLE.ORG, mas os servidores estão localizados na zona dns dmz-int.example.org.
O servidor LDAP é b1.dmz-int.example.org; seu keytab inclui:
udo ktutil -k /etc/krb5.keytab list
/etc/krb5.keytab:
Vno Type Principal Aliases
7 arcfour-hmac-md5 [email protected]
7 aes128-cts-hmac-sha1-96 [email protected]
7 aes256-cts-hmac-sha1-96 [email protected]
7 arcfour-hmac-md5 host/[email protected]
7 aes128-cts-hmac-sha1-96 host/[email protected]
7 aes256-cts-hmac-sha1-96 host/[email protected]
7 arcfour-hmac-md5 ldap/[email protected]
7 aes128-cts-hmac-sha1-96 ldap/[email protected]
7 aes256-cts-hmac-sha1-96 ldap/[email protected]
7 arcfour-hmac-md5 ldap/[email protected]
7 aes128-cts-hmac-sha1-96 ldap/[email protected]
7 aes256-cts-hmac-sha1-96 ldap/[email protected]
7 arcfour-hmac-md5 ldap/[email protected]
7 aes128-cts-hmac-sha1-96 ldap/[email protected]
7 aes256-cts-hmac-sha1-96 ldap/[email protected]
ldap2.myexample.org é CNAME de b1.dmz-int.example.org
Agora posso me conectar com GSSAPI ao servidor LDAP:
$ kinit
$ ldapsearch -ZZ -h b1.dmz-int.example.org 'uid=test'
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
[...]
$ ldapsearch -ZZ -h ldap2.myexample.org 'uid=test'
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 56
SASL data security layer installed.
[...]
$ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: [email protected]
Issued Expires Principal
Sep 6 09:03:35 2016 Sep 6 19:03:32 2016 krbtgt/[email protected]
Sep 6 09:03:39 2016 Sep 6 19:03:32 2016 ldap/[email protected]
Parece ótimo.
Agora vem o proxy.
Proxy Um registro é ldap.dmz-int.example.org e tem um CNAME como ldap.myexample.org .
O proxy é uma camada HAPROXY 4 para as portas 389 e 636. Sem SASL funciona bem.
$ ldapsearch -ZZ -h ldap.myexample.org 'uid=test'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Matching credential (ldap/[email protected]) not found)
$ ldapsearch -h ldap.dmz-int.example.org 'uid=test'
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (Matching credential (ldap/[email protected]) not found)
E agora SASL não funciona. Preciso de um SPN extra no keytab do servidor? Preciso de algumas correções de dns? Por que a consulta de proxy procura o: ldap/[email protected] principal e não ldap/[email protected] ?
Como referência, segue o arquivo haproxy conf:
$ cat /etc/haproxy/haproxy.cfg
global
log /dev/log local0
# log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
# Default SSL material locations
ca-base /etc/ssl/certs
crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
# LDAP and LDAP/STARTTLS
frontend ldap_service_front
log global
mode tcp
bind *:389
description LDAP Service
option socket-stats
option tcpka
option tcplog
timeout client 10s
default_backend ldap_service_back
backend ldap_service_back
log global
server ldap-1 b1.myexample.org:389 check fall 1 rise 1 inter 2s
server ldap-2 b2.myexample.org:389 check fall 1 rise 1 inter 2s
mode tcp
balance leastconn
option tcpka
option ldap-check
timeout server 10s
timeout connect 1s