Open phasenohr opened 5 months ago
Yes, GSSAPI is missing from ldap2pg 6.0. go-ldap just released with GSSAPI support.
However, I don't know how to reproduce kerberose auth in development environment and CI. Any help accepted !
Do you want ldap2pg to ask you the Kerberos password ? Do you use kinit or something like that ?
Thank you for your very quick feedback!
I am using keytabs for functional users such as the one used to execute ldap2pg
.
It seems that authentication based on a keytab is supported by go-ldap: https://github.com/go-ldap/ldap/blob/56e5759aadc48129a33935b9de05b17151c1172e/gssapi/client.go#L31 If it can be used, this would be perffect in my case.
I will gladly help with the testing. Regarding the setup of kerberos in the development environment, I am not sure what would be needed. Not sure if I could help there but if I can, I would do. Thank you.
samba support for KDC is very experimental. Thus, implementing this is completely wild.
How do you configure ldapsearch to authenticate to AD using GSSAPI/Kerberos ?
I am using MIT Kerberos (no AD, no Samba involved). The set-up I have for such an environment is the following on Debian 12:
apt-get install krb5-user cat /etclibsasl2-modules-gssapi-mit
/etc/certificates/proxyuser.keytab
/etc/krb5.conf
(the names of the Kerberos KDC servers are retrieved via DNS in that case)
[libdefaults]
default_realm = XXXX.YYY.ZZ
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
renew_lifetime = 5d
dns_canonicalize_hostname = false
[domain_realm] .xxxx.yyy.zz = XXXX.YYY.ZZ
[logging] kdc = SYSLOG:INFO:DAEMON
- Retrieve a Kerberos ticket by authenticating with the keytab previously placed on the machine: ` kinit -kt /etc/certificates/proxyuser.keytab proxyuser` where `proxyuser` is the name of the user allowed to query the ldap server and list its content
- Issue the LDAP search: `ldapsearch -Y GSSAPI -U proxyuser -H ldaps://krbldap-001.xxxx.yyy.zz -b "ou=aaaa, dc=xxxx,dc=yyy,dc=zz"`
If the `ldaprc` file put in my first post is placed in the same folder from which the `ldapsearch` command is issued, then the following command would be enough: `ldapsearch -Y GSSAPI -H ldaps://krbldap-001.xxxx.yyy.zz -b "ou=aaaa, dc=xxxx,dc=yyy,dc=zz"`
If I understand correctly what the library you referred to is doing, the `kinit` part would not be needed as it would be handled by the library automatically from those variables: `username, realm, keytabPath, krb5confPath`
Hi @phasenohr . Thanks for the details. Trying to authenticate ldapsearch against Samba with GSSAPI with Kerberos:
$ kinit -V -kt $PWD/administrator.keytab administrator
Using default cache: /tmp/krb5cc_1000
Using principal: administrator@BRIDOULOU.FR
Using keytab: /home/bersace/src/dalibo/ldap2pg/administrator.keytab
Authenticated to Kerberos v5
$ ldapsearch -U administrator@BRIDOULOU.FR -H ldaps://samba1.ldap2pg.docker -l 5 -Y GSSAPI -b cn=users,dc=bridoulou,dc=fr -s sub '(|(cn=owners)(cn=readers)(cn=writers))' member cn
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
I guess Samba AD needs to have itself declared as a server in one database. I don't know how or what. I have rdns = false
and DNS resolution for my docker container.
Hi @bersace
It probably means that the LDAP server is missing a keytab authorising it to authenticate through Kerberos.
With MIT Kerberos, you would need to create a keytab for the SPN ldap/fqdn@REALM so in your example, this would be probably ldap/samba1.ldap2pg.docker@BRIDOULOU.FR
but I do not know how you would configure that in Samba AD.
Also, you might need to update the [domain_realm]
section on your client to match .ldap2pg.docker
domain with BRIDOULOU.FR
realm
cf. #268 for reference.
Hello,
I am trying to have ldap2pg authenticate against my LDAP directory through GSSAPI (in order to use Kerberos ultimately). According to https://ldap2pg.readthedocs.io/en/latest/ldap/ it seems that I should be able to specify
SASL_MECH
but I do not find how to do it.Here is the anonymised ldaprc file I am trying to use (it works fine if I do a
ldapwhoami
):This leads to the following error when running
ldap2pg
:If I use
BINDDN
andPASSWORD
in myldaprc
file instead of theSASL_*
variables,ldap2pg
works fine.Am I doing something wrong or can it be that support for GSSAPI has not been implemented in version 6?
Thank you for your support.
Best regards, Paul