[Freeipa-users] using keytabs for auth to ldap
Brendan Kearney
bpk678 at gmail.com
Tue Apr 1 14:17:57 UTC 2014
What distribution you use? Fedora
Which distribution version you use? Fedora 20, with latest updates
Which architecture you use? x86_64 on a qemu VM
What plugin version you use? bind-dyndb-ldap-4.1-1.fc20.x86_64
Do you use bind-dyndb-ldap as part of FreeIPA installation? no, using
openldap-servers-2.4.39-2.fc20.x86_64
Which version of BIND you use? bind-9.9.4-12.P2.fc20.x86_64
Please provide dynamic-db section from configuration
file /etc/named.conf
dynamic-db "bpk2.com" {
library "ldap.so";
arg "uri ldap://127.0.0.1/";
arg "base cn=dns,dc=bpk2,dc=com";
arg "auth_method simple";
arg "bind_dn cn=Manager,dc=bpk2,dc=com";
arg "password ***REMOVED***";
arg "sync_ptr yes";
arg "dyn_update yes";
arg "connections 2";
arg "verbose_checks yes";
};
Do you have some other text based or DLZ zones configured? no
Do you have some global forwarders configured in BIND configuration
file? no
Do you have some settings in global configuration object in LDAP?
dn: cn=dns,dc=my-domain,dc=com
cn: dns
idnspersistentsearch: FALSE
idnszonerefresh: 30
objectclass: top
objectclass: nsContainer
objectclass: idnsConfigObject
i want to use bind-dyndb-ldap with keytabs against my directory. i have
created the principal DNS/test.bpk2.com at BPK2.COM, and can have created
the keytab file. what i want to know is:
what ldap object should i create to match up against the kerberos
principal?
i have to grant access to the ldap tree, so what ID will be presented to
ldap when using the keytab?
am i able to use the sasl_username without the sasl_password to
establish that?
being that i want to use a keytab, the username would be in there,
correct?
when i list the keys in the keytab, there is a PRIMARY, an INSTANCE and
a REALM (DNS/test.bpk2.com at BPK2.COM). is the PRIMARY (DNS) or the
INSTANCE (test.bpk2.com) what has to be linked in ldap to the kerberos
identity?
do i need a specific olcAuthzRegexp to massage the kerberos ID into a
proper ldap DN, like i am doing already for my ID? example:
{0}uid=([^,]*),cn=bpk2.com,cn=gssapi,cn=auth uid=
$1,ou=Users,dc=bpk2,dc=com
i am running n-way multi master ldap. does the uri directive support
more than one value (ldap://ldap1.bpk2.com ldap://ldap2.bpk2.com)?
can the SRV records be used to point the uri directive at the ldap
servers by querying for them? ha, thats a-chicken-and-the-egg topic,
but an interesting one...
i am assuming my named.conf will change to include:
arg "uri ldap://ldap1.bpk2.com/ ldap://ldap2.bpk2.com";
arg "auth_method sasl";
arg "sasl_mech GSSAPI";
arg "krb5_keytab FILE:/etc/named.keytab";
is there anything else obvious that i am missing?
thank you,
brendan
More information about the Freeipa-users
mailing list