[Freeipa-users] bind-dyndb-ldap: using keytabs for auth to ldap

Tue Apr 1 18:40:17 UTC 2014

Hello!

On 1.4.2014 16:17, Brendan Kearney wrote:
> What plugin version you use? bind-dyndb-ldap-4.1-1.fc20.x86_64
Before I dive into details, please read about the following bug:
https://fedorahosted.org/bind-dyndb-ldap/ticket/134

I just found it, fixed it and I'm attaching patch for you so you don't need to 
wait for a new release :-)

> Do you use bind-dyndb-ldap as part of FreeIPA installation? no, using
> openldap-servers-2.4.39-2.fc20.x86_64

> Please provide dynamic-db section from configuration
> file /etc/named.conf
> dynamic-db "bpk2.com" {
>         	library "ldap.so";
>          arg "uri ldap://127.0.0.1/";
>         	arg "base cn=dns,dc=bpk2,dc=com";
>          arg "auth_method simple";
> 	arg "bind_dn cn=Manager,dc=bpk2,dc=com";
> 	arg "password ***REMOVED***";
> 	arg "sync_ptr yes";
> 	arg "dyn_update yes";
> 	arg "connections 2";
> 	arg "verbose_checks yes";
> };

> i want to use bind-dyndb-ldap with keytabs against my directory.  i have
> created the principal DNS/test.bpk2.com at BPK2.COM, and can have created
> the keytab file.  what i want to know is:
>
> what ldap object should i create to match up against the kerberos
> principal?
> i have to grant access to the ldap tree, so what ID will be presented to
> ldap when using the keytab?
This is up to your LDAP server implementation. Bind-dyndb-ldap just calls SASL 
and Kerberos libraries. The plugin itself is not aware of any principal<->DN 
mapping.

> am i able to use the sasl_username without the sasl_password to
> establish that?
sasl_username defaults to "DNS/$(hostname)" so usually it is not necessary to 
specify it explicitly. (It should match your Kerberos principal.)

> being that i want to use a keytab, the username would be in there,
> correct?
> when i list the keys in the keytab, there is a PRIMARY, an INSTANCE and
> a REALM (DNS/test.bpk2.com at BPK2.COM).  is the PRIMARY (DNS) or the
> INSTANCE (test.bpk2.com) what has to be linked in ldap to the kerberos
> identity?
Your LDAP server will get the whole principal and it is up to the server how 
it will map it to some existing entity.

> do i need a specific olcAuthzRegexp to massage the kerberos ID into a
> proper ldap DN, like i am doing already for my ID?  example:
> {0}uid=([^,]*),cn=bpk2.com,cn=gssapi,cn=auth uid=
> $1,ou=Users,dc=bpk2,dc=com
I have no idea, I have never configured this in OpenLDAP. Please let us know 
what configuration worked for you so we have the information in mailing list 
archives. Thanks!

> i am running n-way multi master ldap.  does the uri directive support
> more than one value (ldap://ldap1.bpk2.com ldap://ldap2.bpk2.com)?
Unfortunately no, it is not supported. The usual recommendation is to 
configure one DNS server on one LDAP server for redundancy.

> can the SRV records be used to point the uri directive at the ldap
> servers by querying for them?  ha, thats a-chicken-and-the-egg topic,
> but an interesting one...
That is an interesting idea but SRV lookups are not supported.

> i am assuming my named.conf will change to include:
BTW documentation about named.conf syntax is in README:
https://git.fedorahosted.org/cgit/bind-dyndb-ldap.git/plain/README

>          arg "uri ldap://ldap1.bpk2.com/ ldap://ldap2.bpk2.com";
^ This is not supported. Please pick just one LDAP server.

>          arg "auth_method sasl";
^ This is correct.

>          arg "sasl_mech GSSAPI";
^ This is default.

>          arg "krb5_keytab FILE:/etc/named.keytab";
^ This is default.

> is there anything else obvious that i am missing?
It should be enough if you configure your LDAP server accordingly.

Let us know if you encounter any problem.

BTW did you see FreeIPA project? It integrates LDAP+Kerberos with management 
tools and nice user interface and solver Microsoft AD integration.

Maybe it could save you some headaches ...

-- 
Petr^2 Spacek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bind-dyndb-ldap-pspacek-0231-Fix-record-parsing-to-prevent-child-zone-corruption.patch
Type: text/x-patch
Size: 1674 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140401/f2488aaa/attachment.bin>