SSSD's LDAP provider can be configured to use Kerberos as the authentication
provider. The framework provides tools to automatically configure the LDAP
domain with auth_provider = krb5, using the Kerberos configuration from
given KDC role object. It also provides means to run Kerberos tools such as
kinit, klist and kdestroy.
.. seealso::
* :class:`sssd_test_framework.roles.kdc.KDC`
* :class:`sssd_test_framework.utils.authentication.KerberosAuthenticationUtils`
* :attr:`sssd_test_framework.utils.authentication.AuthenticationUtils.kerberos`
Note
To access the KDC role, you need to add additional hostname to the
mhc.yaml multihost configuration. For example:
- hostname: kdc.test
role: kdc
config:
realm: TEST
domain: test
client:
krb5_server: kdc.test
krb5_kpasswd: kdc.test
krb5_realm: TEST@pytest.mark.topology(KnownTopology.LDAP)
def test_kdc(client: Client, ldap: LDAP, kdc: KDC):
ldap.user('tuser').add()
kdc.principal('tuser').add()
client.sssd.common.krb5_auth(kdc)
client.sssd.start()
with client.ssh('tuser', 'Secret123') as ssh:
with client.auth.kerberos(ssh) as krb:
result = krb.klist()
assert f'krbtgt/{kdc.realm}@{kdc.realm}' in result.stdout