[Freeipa-users] using keytabs for auth to ldap

Brendan Kearney bpk678 at gmail.com
Tue Apr 1 14:17:57 UTC 2014 

What distribution you use? Fedora
Which distribution version you use? Fedora 20, with latest updates
Which architecture you use? x86_64 on a qemu VM

What plugin version you use? bind-dyndb-ldap-4.1-1.fc20.x86_64
Do you use bind-dyndb-ldap as part of ​FreeIPA installation? no, using
openldap-servers-2.4.39-2.fc20.x86_64
Which version of ​BIND you use? bind-9.9.4-12.P2.fc20.x86_64

Please provide dynamic-db section from configuration
file /etc/named.conf
dynamic-db "bpk2.com" {
       	library "ldap.so";
        arg "uri ldap://127.0.0.1/";
       	arg "base cn=dns,dc=bpk2,dc=com";
        arg "auth_method simple";
	arg "bind_dn cn=Manager,dc=bpk2,dc=com";
	arg "password ***REMOVED***";
	arg "sync_ptr yes";
	arg "dyn_update yes";
	arg "connections 2";
	arg "verbose_checks yes";
};

Do you have some other text based or ​DLZ zones configured? no
Do you have some global forwarders configured in BIND configuration
file? no

Do you have some settings in global configuration object in LDAP?
dn: cn=dns,dc=my-domain,dc=com
cn: dns
idnspersistentsearch: FALSE
idnszonerefresh: 30
objectclass: top
objectclass: nsContainer
objectclass: idnsConfigObject

i want to use bind-dyndb-ldap with keytabs against my directory.  i have
created the principal DNS/test.bpk2.com at BPK2.COM, and can have created
the keytab file.  what i want to know is:

what ldap object should i create to match up against the kerberos
principal?
i have to grant access to the ldap tree, so what ID will be presented to
ldap when using the keytab?
am i able to use the sasl_username without the sasl_password to
establish that?
being that i want to use a keytab, the username would be in there,
correct?
when i list the keys in the keytab, there is a PRIMARY, an INSTANCE and
a REALM (DNS/test.bpk2.com at BPK2.COM).  is the PRIMARY (DNS) or the
INSTANCE (test.bpk2.com) what has to be linked in ldap to the kerberos
identity?
do i need a specific olcAuthzRegexp to massage the kerberos ID into a
proper ldap DN, like i am doing already for my ID?  example:
{0}uid=([^,]*),cn=bpk2.com,cn=gssapi,cn=auth uid=
$1,ou=Users,dc=bpk2,dc=com
i am running n-way multi master ldap.  does the uri directive support
more than one value (ldap://ldap1.bpk2.com ldap://ldap2.bpk2.com)?
can the SRV records be used to point the uri directive at the ldap
servers by querying for them?  ha, thats a-chicken-and-the-egg topic,
but an interesting one...

i am assuming my named.conf will change to include:

        arg "uri ldap://ldap1.bpk2.com/ ldap://ldap2.bpk2.com";
        arg "auth_method sasl";
        arg "sasl_mech GSSAPI";
        arg "krb5_keytab FILE:/etc/named.keytab";

is there anything else obvious that i am missing?

thank you,

brendan

More information about the Freeipa-users mailing list