[Freeipa-users] bind-dyndb-ldap: using keytabs for auth to ldap
Petr Spacek
pspacek at redhat.com
Tue Apr 1 18:40:17 UTC 2014
Hello!
On 1.4.2014 16:17, Brendan Kearney wrote:
> What plugin version you use? bind-dyndb-ldap-4.1-1.fc20.x86_64
Before I dive into details, please read about the following bug:
https://fedorahosted.org/bind-dyndb-ldap/ticket/134
I just found it, fixed it and I'm attaching patch for you so you don't need to
wait for a new release :-)
> Do you use bind-dyndb-ldap as part of FreeIPA installation? no, using
> openldap-servers-2.4.39-2.fc20.x86_64
> Please provide dynamic-db section from configuration
> file /etc/named.conf
> dynamic-db "bpk2.com" {
> library "ldap.so";
> arg "uri ldap://127.0.0.1/";
> arg "base cn=dns,dc=bpk2,dc=com";
> arg "auth_method simple";
> arg "bind_dn cn=Manager,dc=bpk2,dc=com";
> arg "password ***REMOVED***";
> arg "sync_ptr yes";
> arg "dyn_update yes";
> arg "connections 2";
> arg "verbose_checks yes";
> };
> i want to use bind-dyndb-ldap with keytabs against my directory. i have
> created the principal DNS/test.bpk2.com at BPK2.COM, and can have created
> the keytab file. what i want to know is:
>
> what ldap object should i create to match up against the kerberos
> principal?
> i have to grant access to the ldap tree, so what ID will be presented to
> ldap when using the keytab?
This is up to your LDAP server implementation. Bind-dyndb-ldap just calls SASL
and Kerberos libraries. The plugin itself is not aware of any principal<->DN
mapping.
> am i able to use the sasl_username without the sasl_password to
> establish that?
sasl_username defaults to "DNS/$(hostname)" so usually it is not necessary to
specify it explicitly. (It should match your Kerberos principal.)
> being that i want to use a keytab, the username would be in there,
> correct?
> when i list the keys in the keytab, there is a PRIMARY, an INSTANCE and
> a REALM (DNS/test.bpk2.com at BPK2.COM). is the PRIMARY (DNS) or the
> INSTANCE (test.bpk2.com) what has to be linked in ldap to the kerberos
> identity?
Your LDAP server will get the whole principal and it is up to the server how
it will map it to some existing entity.
> do i need a specific olcAuthzRegexp to massage the kerberos ID into a
> proper ldap DN, like i am doing already for my ID? example:
> {0}uid=([^,]*),cn=bpk2.com,cn=gssapi,cn=auth uid=
> $1,ou=Users,dc=bpk2,dc=com
I have no idea, I have never configured this in OpenLDAP. Please let us know
what configuration worked for you so we have the information in mailing list
archives. Thanks!
> i am running n-way multi master ldap. does the uri directive support
> more than one value (ldap://ldap1.bpk2.com ldap://ldap2.bpk2.com)?
Unfortunately no, it is not supported. The usual recommendation is to
configure one DNS server on one LDAP server for redundancy.
> can the SRV records be used to point the uri directive at the ldap
> servers by querying for them? ha, thats a-chicken-and-the-egg topic,
> but an interesting one...
That is an interesting idea but SRV lookups are not supported.
> i am assuming my named.conf will change to include:
BTW documentation about named.conf syntax is in README:
https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README
> arg "uri ldap://ldap1.bpk2.com/ ldap://ldap2.bpk2.com";
^ This is not supported. Please pick just one LDAP server.
> arg "auth_method sasl";
^ This is correct.
> arg "sasl_mech GSSAPI";
^ This is default.
> arg "krb5_keytab FILE:/etc/named.keytab";
^ This is default.
> is there anything else obvious that i am missing?
It should be enough if you configure your LDAP server accordingly.
Let us know if you encounter any problem.
BTW did you see FreeIPA project? It integrates LDAP+Kerberos with management
tools and nice user interface and solver Microsoft AD integration.
Maybe it could save you some headaches ...
--
Petr^2 Spacek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-dyndb-ldap-pspacek-0231-Fix-record-parsing-to-prevent-child-zone-corruption.patch
Type: text/x-patch
Size: 1674 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140401/f2488aaa/attachment.bin>
More information about the Freeipa-users
mailing list