Re: Forcing the use of kerberos by ldap clients when connecting to an openldap server

From: drjlove@xxxxxxxxx
Date: Mon, 24 Sep 2007 14:55:06 -0700

Actually I'm a putz,

What I was trying to do would never have worked! authentication
against LDAP using GSSAPI requires the user to have already signed
into a kerberos realm and have a token. In my setup, that token was
not available (the user never signs in), hence it'd never work.

Giving user's passwords in ldap itself works until I organise the
kerberos login stuff.

Jamie

On Sep 25, 1:24 am, drjl...@xxxxxxxxx wrote:

Hello all,

I have an openldap server that successfully authenticates against a
kerberos setup:

[jamie@janeiro ~]$ ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ja...@xxxxxxxxxxx
SASL SSF: 56
SASL installing layers
dn:uid=jamie,ou=people,dc=example,dc=com
Result: Success (0)

When I do not put -Y GSSAPI in, I get:

[jamie@janeiro ~]$ ldapwhoami
ldap_sasl_interactive_bind_s: No such object (32)

Is it possible to force the client or server to use GSSAPI for
authentication, so I don't need to write it every time. In my
slapd.conf file I have:

TLSCertificateFile /etc/openldap/cacerts/newcert.pem
TLSCertificateKeyFile /etc/openldap/cacerts/newreq.pem
...
sasl-secprops noanonymous,noplain,noactive
saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid=
$1,ou=people,dc=example,dc=com

In particular this sasl-secprops is (according to the website I
pilfered that line off) in theory will force the use of GSSAPI, but in
practice it doesn't.

The reason I wish to force GSSAPI is to make a java app I need to
interoperate with use the right mechanism (i.e. GSSAPI), and hence
authenticate against kerberos via LDAP rather than authenticate
against ldap only.

Thanks for any help.
Jamie

References:
- Forcing the use of kerberos by ldap clients when connecting to an openldap server
  - From: drjlove

Prev by Date: Re: Problems with kadmind, kpasswd and cross-realm authentication
Next by Date: RE: Problems with kadmind, kpasswd and cross-realm authentication
Previous by thread: Forcing the use of kerberos by ldap clients when connecting to an openldap server
Index(es):
- Date
- Thread

Relevant Pages

RE: GSS_ACCEPT_SECURITY_CONTEXT
... The user will login to workstation (Kerberos realm on the linux) ... Check the incoming request's authentication header ... for the http service on the application server, ... got from another GSSAPI, ...
(comp.protocols.kerberos)
Re: Need some tips on kerberizing our ENTIRE network
... How to do GSSAPI is part of the Jabber protocol, ... > regarding its ldap support, not sure with kerberos) ... I don't *think* there's a qmail-smtpd that supports GSSAPI authentication, ...
(comp.protocols.kerberos)
Re: [SPF:fail] Re: [PATCH] SASL problems with spnego on 8.0-BETA4
... client GSSAPI authentication segfaults in fbsd8stable i386" regarding this issue, where I list all my tests on all different machines, and a stack trace of the system where ldapwhoami segfaults. ... This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols found)... ...
(freebsd-current)
heimdal and mit incompatability when using GSSAPI
... and so in many situations authentication is both faster and more secure using kerberos tickets. ... The Heimdal included in FreeBSD seems to be incompatible with my school's servers running MIT kerberos when authenticating over gssapi. ...
(FreeBSD-Security)
GSSAPI / Kerberos ticket authentication issues
... I'm trying to configure my RHEL5 servers to perform GSSAPI ... system, GSSAPI authentication fails. ... 334 Using authentication type GSSAPI; ... Checking both of these host principals in our kerberos database ...
(comp.protocols.kerberos)