我正在寻找如何将GSSAPI支持添加到我的OpenLDAP中?
当前设置
MIT Kerberos V + OpenLDAP Kerberos bind to openldap Able to issue kerberos tickets to my users (with kinit exampluser) Able to ldapsearch -x uid=exampluser
Openldap方面
server% ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms ldap_start_tls: Protocol error (2) additional info: unsupported extended operation dn: supportedSASLMechanisms: DIGEST-MD5 supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: CRAM-MD5 supportedSASLMechanisms: NTLM supportedSASLMechanisms: LOGIN supportedSASLMechanisms: PLAIN
客户端
client% ldapsearch uid=exampleuser SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Authentication method not supported (7) additional info: SASL(-4): no mechanism available: Couldn't find mech GSSAPI
客户端ldap.conf
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=example,dc=com URI ldap://ldap.example.com SASL_MECH GSSAPI
显然,错误很明显足以解释我的ldap请求没有找到auth的机制.
我已经通过了许多教程,解释,但仍然无法找到任何地方如何“添加”该机制.
感谢What is SASL/GSSAPI?所有令人敬畏的解释.
已更新为用户473183469
我已经为ldap生成了一个keytab,我已经在/etc/ldap/ldap.keytab中复制了,并根据https://help.ubuntu.com/community/SingleSignOn编辑了/ etc / default / slapd,要求取消注释并给出导出KRB5_KTNAME的路径= /等/ LDAP / ldap.keytab
那个ldap keytab是这样生成的
kadmin: addprinc -randkey ldap/ldap.example.com@EXAMPLE.COM kadmin: ktadd -k ~/ldap.keytab ldap/ldap.example.com@EXAMPLE.COM
我还有一个在安装开始时创建的/etc/krb5.keytab
kadmin.local: listprincs admin@EXAMPLE.COM K/M@EXAMPLE.COM krbtgt/EXAMPLE.COM@EXAMPLE.COM kadmin/admin@EXAMPLE.COM kadmin/changepw@EXAMPLE.COM kadmin/history@EXAMPLE.COM kadmin/kdc.example.com@EXAMPLE.COM user1@example.com (also in the ldap,can issue a ticket and everything) user2@example.com (same for him) ldap/ldap.example.com@EXAMPLE.COM
ktutil结果
# ktutil ktutil: read_kt /etc/ldap.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 ldap/ldap.example.com@EXAMPLE.COM 2 2 ldap/ldap.example.com@EXAMPLE.COM 3 2 ldap/ldap.example.com@EXAMPLE.COM 4 2 ldap/ldap.example.com@EXAMPLE.COM ktutil: read_kt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------------------------------------- 1 2 ldap/ldap.example.com@EXAMPLE.COM 2 2 ldap/ldap.example.com@EXAMPLE.COM 3 2 ldap/ldap.example.com@EXAMPLE.COM 4 2 ldap/ldap.example.com@EXAMPLE.COM 5 2 kadmin/kdc.example.com@EXAMPLE.COM 6 2 kadmin/kdc.example.com@EXAMPLE.COM 7 2 kadmin/kdc.example.com@EXAMPLE.COM 8 2 kadmin/kdc.example.com@EXAMPLE.COM
您需要更改slapd的sasl配置,通常是/etc/sasl2/slapd.conf,以包含gssapi.
例如:
mech_list: external gssapi plain pwcheck_method: saslauthd
之后你需要重启slapd.