在Kerberos数据库中找不到服务器ldap/example.com@EXAMPLE.COM

前端之家收集整理的这篇文章主要介绍了在Kerberos数据库中找不到服务器ldap/example.com@EXAMPLE.COM前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
编辑:问题终于解决了.详细信息可在本消息末尾的故障排除部分中找到.

我在这里留下详细的步骤,以防它可以帮助某人.

设置OpenLDAP

我 – 创建服务器

文档经常过时,您会找到多种方法来实现相同的目标.
根据我所读到的,创建服务器的现代方法是使用/etc/openldap/slapd.ldif而不是/etc/openldap/slapd.conf.以下是使用letsencrypt证书的示例配置.

您通常可以在slapd.ldif中使用olc转换slapd.conf指令.只需确保它位于正确的dn块中.

确保您创建了一个目录/etc/openldap/slapd.d,可由ldap用户读取和写入,并且该slapd已停止.使用slapadd命令将slapd.ldif插入slapd.d.我使用sudo -u ldap运行它,以便slapadd创建ldap用户拥有的文件.你也可以在没有sudo的情况下运行slapadd然后chown -R ldap:ldap /etc/openldap/slapd.d.这里重要的是,所有你的/ etc / openldap目录都是用户运行的slapd可读/写的.

$sudo -u ldap slapadd -d -1 \
    -F /etc/openldap/slapd.d \
    -n 0 \
    -f /etc/openldap/slapd.ldif

OpenLDAP配置:

# /etc/openldap/slapd.ldif
------------------------------------
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /run/openldap/slapd.args
olcPidFile: /run/openldap/slapd.pid
olcTLSCipherSuite: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
olcTLSCACertificateFile: /etc/letsencrypt/live/example/chain.pem
olcTLSCertificateFile: /etc/letsencrypt/live/example/cert.pem
olcTLSCertificateKeyFile: /etc/letsencrypt/live/example/privkey.pem
olcTLSVerifyClient: never

#
# Load dynamic backend modules:
#
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleload: back_mdb.so


dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/nis.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif
include: file:///etc/openldap/schema/openldap.ldif
include: file:///etc/openldap/schema/kerberos.ldif
include: file:///etc/openldap/schema/openssh-lpk.ldif

# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
olcAccess: to dn.base="" by * read
olcAccess: to dn.base="cn=Subschema" by * read
olcAccess: to * 
    by self write 
    by users read 
    by anonymous auth


#######################################################################
# LMDB database definitions
#######################################################################
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=example,dc=com
olcRootDN: cn=Manager,dc=example,dc=com
olcRootPW: {SSHA}anEncryptedPassword
olcDbDirectory: /var/lib/openldap-data
# Indices to maintain
olcDbIndex: objectClass        eq
olcDbIndex: uid                pres,eq
olcDbIndex: memberUid          eq
olcDbIndex: uidNumber          eq
olcDbIndex: gidNumber          eq
olcDbIndex: uniqueMember       eq
olcDbIndex: cn                 pres,sub,eq
olcDbIndex: mail               pres,eq
olcDbIndex: sn                 pres,eq
olcDbIndex: givenname          eq,subinitial
olcDbIndex: dc                 eq
olcDbIndex: krbPrincipalName   eq,pres,sub
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey,givenName,sn,photo 
    by self write 
    by anonymous auth 
    by dn.base="cn=Manager,dc=com" write 
    by * none
olcAccess: to * 
    by self read 
    by dn.base="cn=Manager,dc=com" write 
    by * read

II – 设置目录信息树(DIT)

启动服务器:$systemctl start slapd

这将创建一个/var/lib/openldap-data/data.mdb(您的发行版上的目录可能不同).如果您遇到问题或想要重置OpenLDAP,可以在停止slapd服务后rm -rf /etc/openldap/slapd.d/* /var/lib/openldap-data/{data.mdb,lock.mdb}并返回步骤I.

我更改了我的slapd.service以销毁/var/lib/openldap-data/lock.mdb,因为在我的设置中,关闭slapd时不会删除文件,这会阻止它再次启动.

slapd.service的内容

# /etc/systemd/system/slapd.service
------------------------------------
[Unit]
Description=OpenLDAP Server Daemon
After=network.target

[Service]
# "-d n" stops slapd from forking
ExecStartPre = /bin/rm -f /var/lib/openldap-data/lock.mdb
ExecStart = /usr/lib64/openldap/slapd -u ldap -g ldap -h ${SLAPD_URLS} $SLAPD_OPTIONS -d1
ExecStopPost = /bin/rm -f /var/lib/openldap-data/lock.mdb
Restart = always
RestartSec = 180

[Install]
WantedBy=multi-user.target

# /etc/systemd/system/slapd.service.d/00gentoo.conf
------------------------------------
[Service]
Environment="HOME=/var/lib/openldap"
# Use the slapd configuration directory:
Environment="SLAPD_OPTIONS=-F /etc/openldap/slapd.d"
Environment="SLAPD_URLS=ldaps:/// ldap://127.0.0.1:389/ ldapi://127.0.0.1"
Environment="KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab"

确保ldap用户可以读取证书:

$useradd -r letsencrypt
$chown -R letsencrypt:letsencrypt /etc/letsencrypt
$gpasswd -a ldap letsencrypt
$chmod 750 /etc/letsencrypt/{live,archive}

然后添加构建DIT的ldif文件

$ldapadd -x -W -D“cn = Manager,dc = example,dc = com”-f ${PATH_TO_FILES}

# example.com.ldif
------------------------------------
# Create example dn
dn: dc=example,dc=com
dc: example
objectClass: dcObject
objectClass: organization
o: Example Organization

# Create Manager role
dn: cn=Manager,dc=com
cn: Manager
description: LDAP Administrator
objectClass: organizationalROle
objectClass: top
roleOccupant: dc=example,dc=com

# users.ldif
------------------------------------
dn: ou=People,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
description: Users of Example

# groups.ldif
------------------------------------
dn: ou=Group,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Group
description: Groups of Example

III – 设置LDAP客户端

配置ldap.conf:

# /etc/openldap/ldap.conf
------------------------------------
BASE    dc=example,dc=com
URI ldaps://example.com

TLS_CACERT      /etc/letsencrypt/live/example/chain.pem
TLS_REQCERT     allow
TIMELIMIT       2

设置Kerberos

I – 配置服务器

服务器配置(mit-krb5):

# /etc/krb5.conf
------------------------------------
[logging]
    default = FILE:/var/log/krb5/libs.log
    kdc = FILE:/var/log/krb5/kdc.log
    admin_server = FILE:/var/log/krb5/kadmind.log

[libdefaults]
    default_realm = EXAMPLE.COM

[realms]
    EXAMPLE.COM = {
        kdc = example.com
        admin_server = example.com
        default_domain = example.com
        database_module = openldap_ldapconf
    }

[domain_realm]
    example.com = EXAMPLE.COM
    .example.com = EXAMPLE.COM

[dbdefaults]
    ldap_kerberos_container_dn = cn=krbContainer,dc=com

[dbmodules]
    openldap_ldapconf = {
        db_library = kldap
        ldap_kdc_dn = "cn=Manager,dc=com"

        ldap_kadmind_dn = "cn=Manager,dc=com"

        ldap_service_password_file = /etc/krb5kdc/service.keyfile
        ldap_servers = ldaps://example.com
        ldap_conns_per_server = 5
    }

然后,创建领域:$kdb5_util -r EXAMPLE.COM create -s

II – 配置OpenLDAP后端

设置Kerberos OpenLDAP子树:

$kdb5_ldap_util -D“cn = Manager,dc = com”create -subtrees dc = example,dc = com -r EXAMPLE.COM -s -H ldap://127.0.0.1“

并在KDC的本地磁盘上创建以加密形式驻留的主密钥的本地副本,以便与OpenLDAP链接

$kdb5_ldap_util -D“cn = Manager,dc = com”stashsrvpw -f /etc/krb5kdc/service.keyfile cn = Manager,dc = com

这也称为(又名)stash file.

III – 创建一个委托人

启动MIT Kerberos v5服务(krb5):

$systemctl start krb5-kdc krb5-kadmind

系统服务已从ArchLinux软件包中获取(因为Gentoo没有提供这些文件):

KRB5-kdc.service:

# /etc/systemd/system/krb5-kdc.service
------------------------------------
[Unit]
Description=Kerberos 5 KDC

[Service]
ExecStart=/usr/sbin/krb5kdc -n
Restart=always

[Install]
WantedBy=multi-user.target

KRB5-kadmind的:

# /etc/systemd/system/krb5-kadmind.service
------------------------------------
[Unit]
Description=Kerberos 5 administration server

[Service]
ExecStart=/usr/sbin/kadmind -nofork

[Install]
WantedBy=multi-user.target

使用$kadmin.local启动kadmin控制台:

>创建一个主体:$add_principal root/admin@EXAMPLE.COM
>还为当前用户创建一个主体:$add_principal root@EXAMPLE.COM
>退出:$quit或$q

将此主体添加到kadm5.acl:

# /var/lib/krb5kdc/kadm5.acl
------------------------------------
root/admin@EXAMPLE.COM *

IV – 配置密钥分发中心(KDC)

配置kdc.conf:

# /var/lib/krb5kdc/kdc.conf
------------------------------------
[kdcdefaults]
kdc_ports = 750,88

[realms]
EXAMPLE.COM = {
    database_name = /var/lib/krb5kdc/principal
    acl_file = /var/lib/krb5kdc/kadm5.acl
    key_stash_file = /var/lib/krb5kdc/.k5.EXAMPLE.COM
    kdc_ports = 750,88
    max_life = 10h 0m 0s
    max_renewable_life = 7d 0h 0m 0s
}

然后重启krb5服务:$systemctl restart krb5-kdc krb5-kadmind

V – 设置saslauthd

SASLAuthD是守护程序,它将从LDAP捕获SASL个请求并将它们转换为Kerberos(或您使用的任何身份验证机制)请求.如果您想使用身份验证服务的密码而不是LDAP密码,则需要它,例如:

userPassword:{SASL}user@EXAMPLE.COM

EXAMPLE.COM是您的领域,用户是您的主要人物.

配置SASL2 slapd:

# /etc/sasl2/slapd.conf (Gentoo) or /usr/lib/sasl2 (Ubuntu)
------------------------------------
pwcheck_method:saslauthd

确保saslauthd使用Kerberos v5:

# /etc/conf.d/saslauthd (Gentoo) or /etc/default/saslauthd (Ubuntu)
------------------------------------
# -a describe the mechanism used
# -m is the working directory,where socket will be located
SASLAUTHD_OPTS="-a kerberos5 -m /run/saslauthd"

您可以在手册页中或使用$saslauthd -h检查参数.确保在此文件中使用适当的变量.您可以在systemd设置中查看哪个与$systemctl cat saslauthd一起使用.

确保saslauthd可以读/写套接字(/ run / saslauthd / mux).

使用启动服务

$systemctl start saslauthd

并检查saslauthd正在使用:

$testsaslauthd -r YOURREALM -u someusernameyouwant -p somepassword

VI – 设置GSSAPI / SASL身份验证

使用$kadmin.local打开kadmin控制台并创建GSSAPI主体和keytab文件

首先在Kerberos数据库中为目录服务器创建服务主体,然后在openldap配置目录中创建一个包含该主体条目的密钥文件.
您可以替换example.com的实例,但ldap /应该写成litteraly.

$addprinc -randkey ldap/example.com@EXAMPLE.COM
$ktadd -k /etc/openldap/ldap.keytab ldap/example.com@EXAMPLE.COM

然后为客户端及其keytab创建主机主体.您可以替换example.com的实例,但主机/应该被写入.

$addprinc -randkey host/example.com@EXAMPLE.COM
$ktadd -k /etc/krb5.keytab host/example.com@EXAMPLE.COM

退出:$quit

确保ldap.keytab仅对ldap用户/组可读:

$chown ldap:ldap /etc/openldap/ldap.keytab
$chmod 640 /etc/openldap/ldap.keytab

确保获得新的Kerberos票证:

$kinit

完成之后,您已经使用OpenLDAP后端设置了Kerberos服务器.

现在,您可以在创建/修改用户时告诉OpenLDAP使用Kerberos密码:

userPassword: {SASL}root@EXAMPLE.COM

例如,您可以创建包含以下内容的file.ldif,并使用ldapadd添加它,如前所述:

dn: uid=root,ou=People,dc=com
uid: root
cn: root
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {SASL}root@EXAMPLE.COM
loginShell: /bin/zsh
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root

您也可以使用不带参数的ldapsearch进行搜索.

故障排除

我最初的问题现在已经解决

Server ldap/example.com@EXAMPLE.COM not found in Kerberos database)

遇到一些问题时,这里有一些提示

检查日志

> slapd.service:使用journalctl -xe(我的服务类型不是分叉,标志-d 9将在systemd日志中打印日志.您可以使用-d 0禁用日志记录,但保留标志-d,或声明它类型:分叉)
> krb5-kdc:查看/var/log/krb5/kdc.log或在/etc/krb5.conf中设置的任何内容
> krb5-kadmind:检查/var/log/krb5/kadmind.log或你在/etc/krb5.conf中设置的任何内容
> saslauthd:您需要使用flag -d启用调试.在带有此标志的shell中运行saslauthd,或将此标志添加到/etc/conf.d/saslauthd(Gentoo)或/ etc / default / saslauthd(Ubuntu)并使用journalctl -xe查看它们.

问题

Server ldap/example.com@EXAMPLE.COM not found in Kerberos database

当我运行$ldapsearch或$ldapwhoami时,我遇到以下错误

ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.
Minor code may provide more information (Server ldap/example.com@EXAMPLE.COM not found in Kerberos database)

检查您是否正确遵循Kerberos设置的步骤V和VI.您需要OpenLDAP可读的密钥表.您可以将它放在您想要的位置并根据需要命名.还要确保设置了环境变量KRB5_KTNAME(在systemd服务中或在你运行slapd的shell中的init系统/中),指向该keytab.

主机密钥表应放在/etc/krb5.keytab中.对于ldapsearch / ldapapi(我没有检查它是否可以正常工作)可能并不重要,但是对于诸如SSSD的守护进程它是必需的.

问题

ldap_sasl_interactive_bind_s: Invalid credentials (49)

当我运行$ldapsearch或$ldapwhoami时,我遇到以下错误

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

尝试刷新你的Kerberos票:$kinit

积分

希望这些步骤可以帮助其他一些初学者,学分归于:

> https://wiki.archlinux.org/index.php/Kerberos
> https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html

还有一些其他指南(请查看在Fedora上设置Kerberos身份验证)

解决方法

好的,我终于解决了我的答案:

我只需要在Kerberos上创建服务器,并创建一个包含它的密钥文件.

$addprinc -randkey ldap/example.com@EXAMPLE.COM
$ktadd -k /etc/openldap/ldap.keytab ldap/example.com@EXAMPLE.COM

Slapd不知道该文件所以我将环境变量添加到我的slapd.service:

# /etc/krb5.conf
------------------------------------
Environment="KRB5_KTNAME=FILE:/etc/openldap/ldap.keytab"

我还需要配置saslauthd并运行它:

配置守护进程:

# /etc/conf.d/saslauthd (gentoo) or /etc/default/saslauthd (ubuntu)
------------------------------------
# -a describe the mechanism used
# -m is the working directory,where socket will be located
SASLAUTHD_OPTS="-a kerberos5 -m /run/saslauthd"

配置选项:

# /etc/sasl2/slapd.conf (gentoo) or /usr/lib/sasl2 (ubuntu)
------------------------------------
pwcheck_method:saslauthd

启动它:$systemctl start saslauthd

然后出现错误

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): authentication failure: GSSAPI
Failure: gss_accept_sec_context

这是因为我的kerberos门票过期了.
我刚刚运行了$kinit,它解决了这个问题.

我编辑了问题,在“指南”部分添加了缺失的步骤,随意编辑名称/改进/复制/粘贴.谢谢.

猜你在找的MsSQL相关文章