KxSystems / ldap

Kdb+ integration with LDAP
https://code.kx.com/q
Apache License 2.0
5 stars 5 forks source link

Add example of binding with kerberos #138

Closed sshanks-kx closed 1 year ago

sshanks-kx commented 1 year ago

Example building/using ldapsearch in kerberos env:

Example env: https://github.com/antagme/Documentation_Project/blob/master/example1fast.md

Creating container to add with our own ldap/etc build...

  1. Edit Dockerfile.build (in this repo) to have yum install of openssl and cyrus-sasl-devel (ldap must be built with sasl api)
  2. build docker build -f Dockerfile.build -t ldapdev .
  3. run in env docker run -it --rm --name ldapdev --net ldap --ip 172.18.0.4 ldapdev
  4. install gssapi/krb tools yum install -y cyrus-sasl-gssapi krb5-workstation
  5. add IP of other machines to /etc/hosts
    172.18.0.2 ldap.edt.org
    172.18.0.3 kserver.edt.org
    172.18.0.8 client.edt.org
  6. change /etc/krb5.conf to
    [logging]
    default = FILE:/var/log/krb5libs.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log
    [libdefaults]
    dns_lookup_realm = false
    ticket_lifetime = 24h
    renew_lifetime = 7d
    forwardable = true
    rdns = false
    default_realm = EDT.ORG
    [realms]
    EDT.ORG = {
    kdc = kserver.edt.org
    admin_server = kserver.edt.org
    }
    [domain_realm]
    .edt.org = EDT.ORG
    edt.org = EDT.ORG
  7. login kinit user01 (password kuser01)
  8. run ldapsearch e.g. LD_LIBRARY_PATH=/usr/lib/:$LD_LIBRARY_PATH ldapsearch -H ldap://ldap.edt.org -D 'dc=edt,dc=org' -Y GSSAPI -v

Possible error msgs if various packages/etc not installed

NO cyrus-sasl-devel error msg on compile time: ldapsearch: not compiled with SASL support

NO cyrus-sasl-gssapi or cyrus-sasl-devel error msg: ldap_sasl_interactive_bind: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: No worthy mechs found

NO kinit ran to login, error msg: ldap_sasl_interactive_bind: Local error (-2) additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_0))