在supportedSASLMechanisms中将GSSAPI添加到OpenLdap

发布时间：2020-12-15 18:33:22 所属栏目：安全来源：网络整理

导读：我正在寻找如何将GSSAPI支持添加到我的OpenLDAP中？当前设置 MIT Kerberos V + OpenLDAPKerberos bind to openldapAble to issue kerberos tickets to my users (with kinit exampluser)Able to ldapsearch -x uid=exampluser Openldap方面 server% ldapsea

我正在寻找如何将GSSAPI支持添加到我的OpenLDAP中？

当前设置

MIT Kerberos V + OpenLDAP
Kerberos bind to openldap
Able to issue kerberos tickets to my users (with kinit exampluser)
Able to ldapsearch -x uid=exampluser

Openldap方面

server% ldapsearch -x -H ldapi:/// -b "" -LLL -s base -Z supportedSASLMechanisms

    ldap_start_tls: Protocol error (2)
    additional info: unsupported extended operation
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

客户端

client% ldapsearch uid=exampleuser

SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
    additional info: SASL(-4): no mechanism available: Couldn't find mech GSSAPI

客户端ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE        dc=example,dc=com
URI         ldap://ldap.example.com
SASL_MECH   GSSAPI

显然,错误很明显足以解释我的ldap请求没有找到auth的机制.

我已经通过了许多教程,解释,但仍然无法找到任何地方如何“添加”该机制.

感谢What is SASL/GSSAPI?所有令人敬畏的解释.

已更新为用户473183469

我已经为ldap生成了一个keytab,我已经在/etc/ldap/ldap.keytab中复制了,并根据https://help.ubuntu.com/community/SingleSignOn编辑了/ etc / default / slapd,要求取消注释并给出导出KRB5_KTNAME的路径= /等/ LDAP / ldap.keytab

那个ldap keytab是这样生成的

kadmin: addprinc -randkey ldap/ldap.example.com@EXAMPLE.COM
kadmin: ktadd -k ~/ldap.keytab ldap/ldap.example.com@EXAMPLE.COM

我还有一个在安装开始时创建的/etc/krb5.keytab

kadmin.local:  listprincs
admin@EXAMPLE.COM
K/M@EXAMPLE.COM
krbtgt/EXAMPLE.COM@EXAMPLE.COM
kadmin/admin@EXAMPLE.COM
kadmin/changepw@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin/kdc.example.com@EXAMPLE.COM
user1@example.com (also in the ldap,can issue a ticket and everything)
user2@example.com (same for him)
ldap/ldap.example.com@EXAMPLE.COM

ktutil结果

# ktutil
ktutil:  read_kt /etc/ldap.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2            ldap/ldap.example.com@EXAMPLE.COM
   2    2            ldap/ldap.example.com@EXAMPLE.COM
   3    2            ldap/ldap.example.com@EXAMPLE.COM
   4    2            ldap/ldap.example.com@EXAMPLE.COM
ktutil:  read_kt /etc/krb5.keytab
ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2            ldap/ldap.example.com@EXAMPLE.COM
   2    2            ldap/ldap.example.com@EXAMPLE.COM
   3    2            ldap/ldap.example.com@EXAMPLE.COM
   4    2            ldap/ldap.example.com@EXAMPLE.COM
   5    2           kadmin/kdc.example.com@EXAMPLE.COM
   6    2           kadmin/kdc.example.com@EXAMPLE.COM
   7    2           kadmin/kdc.example.com@EXAMPLE.COM
   8    2           kadmin/kdc.example.com@EXAMPLE.COM

您需要更改slapd的sasl配置,通常是/etc/sasl2/slapd.conf,以包含gssapi.

例如：

mech_list: external gssapi plain
pwcheck_method: saslauthd

之后你需要重启slapd.

（编辑：李大同）

【声明】本站内容均来自网络，其相关言论仅代表作者个人观点，不代表本站立场。若无意侵犯到您的权利，请及时与联系站长删除相关内容!