Openldap / Sasl / GSSAPI no Debian: entrada da tabela de chaves não encontrada

Question

Openldap / Sasl / GSSAPI no Debian: entrada da tabela de chaves não encontrada

#1 resposta do (2 votos)

3

O objetivo: fazer um servidor OpenLDAP autenticar usando o Kerberos V via GSSAPI

Configuração: várias máquinas virtuais em execução no Debian Squeeze recém-instalado / atualizado

Um servidor KDC principal

kdc.example.com

Um servidor LDAP executando o OpenLDAP

ldap.example.com

O problema:

tom@ldap:~$ ldapsearch -b 'dc=example,dc=com' 
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
    additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Key table entry not found)

Alguém pode sugerir adicionar essa entrada sangrenta de keytab, mas aqui está o problema real:

ktutil:  rkt /etc/ldap/ldap.keytab 
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2        ldap/[email protected]
   2    2        ldap/[email protected]
   3    2        ldap/[email protected]
   4    2        ldap/[email protected]

Assim, a entrada sugerida pelo manual do OpenLDAP está lá. A exclusão e a recriação do principal de serviço e do keytab no ldap.example.com não ajudaram, recebo o mesmo erro. E antes de eu tornar o arquivo keytab legível pelo openldap, recebo o erro "Permission denied" em vez daquele no assunto. O que implica que o arquivo keytab correto está sendo acessado, como definido em / etc / default / slapd.

Tenho minhas dúvidas sobre a seguinte parte da configuração do slapd:

root@ldap:~# cat /etc/ldap/slapd.d/cn\=config.ldif | grep -v "^#"
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: 256
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1
structuralObjectClass: olcGlobal
entryUUID: d6737f5c-d321-1030-9dbe-27d2a7751e11
olcSaslHost: kdc.example.com
olcSaslRealm: EXAMPLE.COM
olcSaslSecProps: noplain,noactive,noanonymous,minssf=56
olcAuthzRegexp: {0}"uid=([^/]*),cn=EXAMPLE.COM,cn=GSSAPI,cn=auth" "uid=$1,ou=People,dc=example,dc=com"
olcAuthzRegexp: {1}"uid=host/([^/]*).example.com,cn=example.com,cn=gssapi,cn=auth" "cn=$1,ou=hosts,dc=example,dc=com"

Um HOWTO no link menciona vagamente:

Also, it is frequently necessary to map the Distinguished Name (DN) of an authorized Kerberos client to an existing entry in the DIT.

Eu não consigo entender onde na árvore isso deve ser definido, qual esquema deve ser usado, etc. Depois de horas de googling, é oficial: eu estou preso! Por favor, ajude.

Outras coisas marcadas: Kerberos como tal funciona bem (eu posso ssh sem usar uma senha para qualquer máquina nesta configuração). Isso significa que não deve haver problemas relacionados ao DNS.

ldapsearch -b 'dc=example,dc=com' -x

funciona bem.

SASL / GSSAPI foi testado usando

sasl-sample-server  -m GSSAPI -s ldap

e

sasl-sample-client -s ldap -n ldap.example.com -u tom

sem erros:

root@ldap:~# sasl-sample-server  -m GSSAPI -s ldap
Forcing use of mechanism GSSAPI
Sending list of 1 mechanism(s)
S: R1NTQVBJ
Waiting for client mechanism...
C: R1NTQVBJAGCCAmUGCSqGSIb3EgECAgEAboICVDCCAlCgAwIBBaEDAgEOogcDBQAgAAAAo4IBamGCAWYwggFioAMCAQWhDRsLRVhBTVBMRS5DT02iIzAhoAMCAQOhGjAYGwRsZGFwGxBsZGFwLmV4YW1wbGUuY29to4IBJTCCASGgAwIBEqEDAgECooIBEwSCAQ8Re8XUnscB8dx6V/cXL+uzSF2/olZvcrVAJHZBZrfRKUFEQmU1Li46bUGK3GZwsn6qUVwmW6lyqVctOIYwGvBpz81Rw/5mj4V5iQudZbIRa+5Ew6W1oBB7ALi2cnPsbUroqzGmEh8/Vw8zSFk7W1gND4DLuWrPXD2xhLDUMMekBn5nXEPTnNAnV4w81Sj3ZlyLZz5OSitGVUEnQweV53z1spWsASHHWod/tSuxb19YeWmY5QHXPLG+lL5+w+Cykr0EhYVj8f8MDWFB8qoN1cr85xDfn18r8JldSw+i18nFKOo8usG+37hZTWynHYvBfMONtG9mLJv82KGPZMydWK7pzyTZDcnSsIjo2AftMZd5pIHMMIHJoAMCARKigcEEgb5aG1k4xgxmUXX7RKfvAbVBVJ12dWOgFFjMYceKjziXwrrOkv8ZwIvef9Yn2KsWznb5L55SXt2c/zlPa5mLKIktvw77hsK1h/GYc7p//BGOsmr47aCqVWsGuTqVT129uo5LNQDeSFwl2jXCkCZJZavOVrqYsM6flrPYE4n5lASTcPitX+/WNsf6WrvZoaexiv1JqyM/MWqS/vMBRMMc5xlurj6OARFvP9aFZoK/BLmfkSyAJj6MLbLVXZtkHiIPgot 'GSSAPI'
Sending response...
S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkxggi9pW+yJ1ExbTwLDclqw/VQ98aPq8mt39hkO6PPfcO2cB+t6vJ01xRKBrT9D2qF2XK0SWD4PQNb5UFbH4RM/bKAxDuCfZ1MHKgIWTLu4bK7VGZTbYydcckU2d910jIdvkkHhaRqUEM4cqp/cR
Waiting for client reply...
C: got ''
Sending response...
S: BQQF/wAMAAAAAAAAMBOWqQcACAAlCodrXW66ZObsEd4=
Waiting for client reply...
C: BQQE/wAMAAAAAAAAFUYbXQQACAB0b20VynB4uGH/iIzoRhw=got '?'
Negotiation complete
Username: tom
Realm: (NULL)
SSF: 56
sending encrypted message 'srv message 1'
S: AAAASgUEB/8AAAAAAAAAADATlqrqrBW0NRfPMXMdMz+zqY32YakrHqFps3o/vO6yDeyPSaSqprrhI+t7owk7iOsbrZ/idJRxCBm8Wazx
Waiting for encrypted message...
C: AAAATQUEBv8AAAAAAAAAABVGG17WC1+/kIV9xTMUdq6Y4qYmmTahHVCjidgGchTOOOrBLEwA9IqiTCdRFPVbK1EgJ34P/vxMQpV1v4WZpcztgot ''
recieved decoded message 'client message 1'




root@ldap:~# sasl-sample-client -s ldap -n ldap.example.com -u tom
service=ldap
Waiting for mechanism list from server...
S: R1NTQVBJrecieved 6 byte message
Choosing best mechanism from: GSSAPI
returning OK: tom
Using mechanism GSSAPI
Preparing initial.
Sending initial response...
C: R1NTQVBJAGCCAmUGCSqGSIb3EgECAgEAboICVDCCAlCgAwIBBaEDAgEOogcDBQAgAAAAo4IBamGCAWYwggFioAMCAQWhDRsLRVhBTVBMRS5DT02iIzAhoAMCAQOhGjAYGwRsZGFwGxBsZGFwLmV4YW1wbGUuY29to4IBJTCCASGgAwIBEqEDAgECooIBEwSCAQ8Re8XUnscB8dx6V/cXL+uzSF2/olZvcrVAJHZBZrfRKUFEQmU1Li46bUGK3GZwsn6qUVwmW6lyqVctOIYwGvBpz81Rw/5mj4V5iQudZbIRa+5Ew6W1oBB7ALi2cnPsbUroqzGmEh8/Vw8zSFk7W1gND4DLuWrPXD2xhLDUMMekBn5nXEPTnNAnV4w81Sj3ZlyLZz5OSitGVUEnQweV53z1spWsASHHWod/tSuxb19YeWmY5QHXPLG+lL5+w+Cykr0EhYVj8f8MDWFB8qoN1cr85xDfn18r8JldSw+i18nFKOo8usG+37hZTWynHYvBfMONtG9mLJv82KGPZMydWK7pzyTZDcnSsIjo2AftMZd5pIHMMIHJoAMCARKigcEEgb5aG1k4xgxmUXX7RKfvAbVBVJ12dWOgFFjMYceKjziXwrrOkv8ZwIvef9Yn2KsWznb5L55SXt2c/zlPa5mLKIktvw77hsK1h/GYc7p//BGOsmr47aCqVWsGuTqVT129uo5LNQDeSFwl2jXCkCZJZavOVrqYsM6flrPYE4n5lASTcPitX+/WNsf6WrvZoaexiv1JqyM/MWqS/vMBRMMc5xlurj6OARFvP9aFZoK/BLmfkSyAJj6MLbLVXZtkHiIP
Waiting for server reply...
S: YIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvkxggi9pW+yJ1ExbTwLDclqw/VQ98aPq8mt39hkO6PPfcO2cB+t6vJ01xRKBrT9D2qF2XK0SWD4PQNb5UFbH4RM/bKAxDuCfZ1MHKgIWTLu4bK7VGZTbYydcckU2d910jIdvkkHhaRqUEM4cqp/cRrecieved 156 byte message
C: 
Waiting for server reply...
S: BQQF/wAMAAAAAAAAMBOWqQcACAAlCodrXW66ZObsEd4=recieved 32 byte message
Sending response...
C: BQQE/wAMAAAAAAAAFUYbXQQACAB0b20VynB4uGH/iIzoRhw=
Negotiation complete
Username: tom
SSF: 56
Waiting for encoded message...
S: AAAASgUEB/8AAAAAAAAAADATlqrqrBW0NRfPMXMdMz+zqY32YakrHqFps3o/vO6yDeyPSaSqprrhI+t7owk7iOsbrZ/idJRxCBm8Wazxrecieved 78 byte message
recieved decoded message 'srv message 1'
sending encrypted message 'client message 1'
C: AAAATQUEBv8AAAAAAAAAABVGG17WC1+/kIV9xTMUdq6Y4qYmmTahHVCjidgGchTOOOrBLEwA9IqiTCdRFPVbK1EgJ34P/vxMQpV1v4WZpczt

openldap sasl debian-squeeze gssapi

por badbishop 17.01.2012 / 20:34

1 resposta

Tags openldap sasl debian-squeeze gssapi

Linux Interrompe Questão Heartbeat Pacemaker 3 failover de nó / ip

score 2 · Answer 1

A resposta foi dada por Dan White através da lista de correio do OpenLDAP.

Configuração

olcSaslHost: ldap.example.com

em vez de

olcSaslHost: kdc.example.com

resolve o problema.

Infelizmente, a descrição de slapd-config (5) do olcSaslHost é um pouco ambígua (pelo menos para meu gosto).

A página do tutorial do Ubuntu estava totalmente errada, dizendo:

"#The FQDN of the Kerberos KDC.
olcSaslHost: kerberos.example.com"

em link