Use GSSAPI for directory authentication

[phasenohr]

Hello,

I am trying to have ldap2pg authenticate against my LDAP directory through GSSAPI (in order to use Kerberos ultimately). According to https://ldap2pg.readthedocs.io/en/latest/ldap/ it seems that I should be able to specify SASL_MECH but I do not find how to do it.

Here is the anonymised ldaprc file I am trying to use (it works fine if I do a ldapwhoami):

URI ldaps://krbldap-001.xxxx.yyy.zz
SASL_MECH GSSAPI
SASL_REALM XXXX.YYY.ZZ
SASL_AUTHCID name_of_the_kerberos_principal_used_to_authenticate_against_ldap

This leads to the following error when running ldap2pg:

14:25:33 INFO   Starting ldap2pg                                 version=v6.0 runtime=go1.20.5 commit=023e6933
14:25:33 INFO   Using YAML configuration file.                   path=./ldap2pg.yml
14:25:33 INFO   Running as superuser.                            user=postgres super=true server="PostgreSQL 14.11" cluster=14/main database=postgres
14:25:34 ERROR  Fatal error.                                     err="unhandled SASL_MECH"

If I use BINDDN and PASSWORD in my ldaprc file instead of the SASL_* variables, ldap2pg works fine.

Am I doing something wrong or can it be that support for GSSAPI has not been implemented in version 6?

Thank you for your support.

Best regards, Paul

[bersace]

Yes, GSSAPI is missing from ldap2pg 6.0. go-ldap just released with GSSAPI support.

However, I don't know how to reproduce kerberose auth in development environment and CI. Any help accepted !

[bersace]

Do you want ldap2pg to ask you the Kerberos password ? Do you use kinit or something like that ?

[phasenohr]

Thank you for your very quick feedback! I am using keytabs for functional users such as the one used to execute ldap2pg.

It seems that authentication based on a keytab is supported by go-ldap: https://github.com/go-ldap/ldap/blob/56e5759aadc48129a33935b9de05b17151c1172e/gssapi/client.go#L31 If it can be used, this would be perffect in my case.

I will gladly help with the testing. Regarding the setup of kerberos in the development environment, I am not sure what would be needed. Not sure if I could help there but if I can, I would do. Thank you.

[bersace]

samba support for KDC is very experimental. Thus, implementing this is completely wild.

How do you configure ldapsearch to authenticate to AD using GSSAPI/Kerberos ?

[phasenohr]

I am using MIT Kerberos (no AD, no Samba involved). The set-up I have for such an environment is the following on Debian 12:

• apt-get install krb5-user cat /etclibsasl2-modules-gssapi-mit
• Assuming that the user authorised to connect to the LDAP is called proxyuser, retrieve the keytab for that user from the Kerberos admin server and place them in a file, e.g. /etc/certificates/proxyuser.keytab
• Configure /etc/krb5.conf (the names of the Kerberos KDC servers are retrieved via DNS in that case)

  
  [libdefaults]
  default_realm = XXXX.YYY.ZZ
  # The following krb5.conf variables are only for MIT Kerberos.
  krb4_config = /etc/krb.conf
  krb4_realms = /etc/krb.realms
  kdc_timesync = 1
  ccache_type = 4
  forwardable = true
  proxiable = true
  default_ccache_name = FILE:/tmp/krb5cc_%{uid}
  renew_lifetime = 5d
  dns_canonicalize_hostname = false

[domain_realm] .xxxx.yyy.zz = XXXX.YYY.ZZ

[logging] kdc = SYSLOG:INFO:DAEMON

- Retrieve a Kerberos ticket by authenticating with the keytab previously placed on the machine: ` kinit -kt /etc/certificates/proxyuser.keytab proxyuser` where `proxyuser` is the name of the user allowed to query the ldap server and list its content
- Issue the LDAP search: `ldapsearch -Y GSSAPI -U proxyuser -H ldaps://krbldap-001.xxxx.yyy.zz -b "ou=aaaa, dc=xxxx,dc=yyy,dc=zz"`

If the `ldaprc` file put in my first post is placed in the same folder from which the `ldapsearch` command is issued, then the following command would be enough: `ldapsearch -Y GSSAPI -H ldaps://krbldap-001.xxxx.yyy.zz -b "ou=aaaa, dc=xxxx,dc=yyy,dc=zz"`

If I understand correctly what the library you referred to is doing, the `kinit` part would not be needed as it would be handled by the library automatically from those variables: `username, realm, keytabPath, krb5confPath`

[bersace]

Hi @phasenohr . Thanks for the details. Trying to authenticate ldapsearch against Samba with GSSAPI with Kerberos:

$ kinit -V -kt $PWD/administrator.keytab  administrator
Using default cache: /tmp/krb5cc_1000
Using principal: administrator@BRIDOULOU.FR
Using keytab: /home/bersace/src/dalibo/ldap2pg/administrator.keytab
Authenticated to Kerberos v5

$ ldapsearch -U administrator@BRIDOULOU.FR -H ldaps://samba1.ldap2pg.docker -l 5 -Y GSSAPI -b cn=users,dc=bridoulou,dc=fr -s sub '(|(cn=owners)(cn=readers)(cn=writers))' member cn
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

I guess Samba AD needs to have itself declared as a server in one database. I don't know how or what. I have rdns = false and DNS resolution for my docker container.

[phasenohr]

Hi @bersace

It probably means that the LDAP server is missing a keytab authorising it to authenticate through Kerberos. With MIT Kerberos, you would need to create a keytab for the SPN ldap/fqdn@REALM so in your example, this would be probably ldap/samba1.ldap2pg.docker@BRIDOULOU.FR but I do not know how you would configure that in Samba AD.

Also, you might need to update the [domain_realm] section on your client to match .ldap2pg.docker domain with BRIDOULOU.FR realm

[bersace]

cf. #268 for reference.