Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP bind with GSSAPI #268

Closed
djkube opened this issue Feb 25, 2019 · 8 comments
Closed

LDAP bind with GSSAPI #268

djkube opened this issue Feb 25, 2019 · 8 comments
Assignees
@bersace

Comments

@djkube
Copy link

djkube commented Feb 25, 2019

Is it possible to use a keytab file instead of supplying user name and password for binding to LDAP?

The environment is Active Directory based. Saving a password in clear text and sending the password over the wire is unacceptable from security perspective.
@bersace
Copy link
Member

bersace commented Feb 26, 2019

Great idea. actually, libldap does support kerberos. It's a matter of proper setup and testing.

@bersace bersace self-assigned this Feb 26, 2019
@bersace
Copy link
Member

bersace commented Feb 26, 2019

@djkube would you mind help me testing kerberos once i got some code to test ?

@djkube
Copy link
Author

djkube commented Feb 26, 2019

Sure, I can't have it sooner.

@bersace
Copy link
Member

bersace commented May 13, 2019

Hi @djkube can you show me how you setup ldapsearch to query LDAP server with keytab ?

@djkube
Copy link
Author

djkube commented May 14, 2019

Hi @bersace , I actually didn't tried using ldapsearch with keytab up to now, but figured it out after some fiddling.
I'm not sure what part of the setup you need, so I'll list the general direction and let me know if you need any details:
Everything bellow is on the client machine, except keytab preparation.

  1. realm join domain.com
  2. authconfig --enablesssd --enablesssdauth --enablelocauthorize --enableldap --enableldapauth --ldapserver=dc.domain.com --enableldaptls --ldapbasedn=dc=domain,dc=com--enableshadow --enablerfc2307bis --enablemkhomedir --enablecachecreds --update (not all the parameters required)
  3. sssd.conf should be configured, say if you need any info.
  4. A keytab file should be created and saved in the client.
  5. If all is well, you should be able to run kinit 'CLIENT$@DOMAIN.COM' -t /etc/krb5.keytab
  6. If all is well, you should be able to run ldapsearch -Z -Y GSSAPI dc.domain.com -b DC=DOMAIN,DC=COM

@djkube
Copy link
Author

djkube commented May 14, 2019

@bersace some additional info that may be relevant:
https://www.openldap.org/lists/openldap-technical/201509/msg00060.html

@bersace bersace changed the title LDAP bind with keytab LDAP bind with GSSAPI May 15, 2019
@bersace bersace mentioned this issue May 15, 2019
Merged
@djkube
Copy link
Author

djkube commented May 15, 2019

@bersace tried it but if breaks on me:

[ldap2pg.config INFO] Starting ldap2pg 4.17.
[ldap2pg.config DEBUG] Trying ./ldap2pg.yml.
[ldap2pg.config INFO] Using /root/ldap2pg.yml.
[ldap2pg.config DEBUG] Read verbosity from argv.
[ldap2pg.config DEBUG] Read ldap:uri from YAML.
[ldap2pg.config DEBUG] Read postgres:databases_query from YAML.
[ldap2pg.config DEBUG] Read postgres:owners_query from YAML.
[ldap2pg.config DEBUG] Read postgres:managed_roles_query from YAML.
[ldap2pg.config DEBUG] Read postgres:schemas_query from YAML.
[ldap2pg.config DEBUG] Read privileges from YAML.
[ldap2pg.config DEBUG] Read sync_map from YAML.
[ldap2pg.config DEBUG] Configuration loaded.
[ldap2pg.script DEBUG] Connecting to LDAP directory.
[ldap2pg.ldap DEBUG] Ignoring: [Errno 2] No such file or directory: '/etc/ldap/ldap.conf'
[ldap2pg.ldap DEBUG] Found rcfile /root/ldaprc.
[ldap2pg.ldap DEBUG] Read TLS_CACERTDIR from /root/ldaprc.
[ldap2pg.ldap DEBUG] Read SASL_NOCANON from /root/ldaprc.
[ldap2pg.ldap DEBUG] Read URI from /root/ldaprc.
[ldap2pg.ldap DEBUG] Read BASE from /root/ldaprc.
[ldap2pg.ldap DEBUG] Found rcfile /root/.ldaprc.
[ldap2pg.ldap DEBUG] Read TLS_CACERTDIR from /root/.ldaprc.
[ldap2pg.ldap DEBUG] Read SASL_NOCANON from /root/.ldaprc.
[ldap2pg.ldap DEBUG] Read URI from /root/.ldaprc.
[ldap2pg.ldap DEBUG] Read BASE from /root/.ldaprc.
[ldap2pg.ldap DEBUG] Read SASL_MECH from /root/.ldaprc.
[ldap2pg.ldap DEBUG] Read URI from YAML.
[ldap2pg.ldap DEBUG] Read HOST from YAML.
[ldap2pg.ldap DEBUG] Read PORT from YAML.
[ldap2pg.ldap DEBUG] Read BINDDN from YAML.
[ldap2pg.ldap DEBUG] Read PASSWORD from YAML.
[ldap2pg.ldap DEBUG] Read REFERRALS from YAML.
[ldap2pg.ldap DEBUG] Connecting to LDAP server ldap://dc.domain.com.
[ldap2pg.ldap DEBUG] Trying SASL GSSAPI auth.
[ldap2pg.script ERROR] Unhandled error:
[ldap2pg.script ERROR] Traceback (most recent call last):
[ldap2pg.script ERROR] File "/usr/local/lib/python3.6/site-packages/ldap2pg/script.py", line 94, in main
[ldap2pg.script ERROR] exit(wrapped_main(config))
[ldap2pg.script ERROR] File "/usr/local/lib/python3.6/site-packages/ldap2pg/script.py", line 34, in wrapped_main
[ldap2pg.script ERROR] ldapconn = ldap.connect(**config['ldap'])
[ldap2pg.script ERROR] File "/usr/local/lib/python3.6/site-packages/ldap2pg/ldap.py", line 247, in connect
[ldap2pg.script ERROR] conn.sasl_interactive_bind_s("", sasl.sasl(cb_values, auth))
[ldap2pg.script ERROR] NameError: name 'cb_values' is not defined
[ldap2pg.script ERROR] Please file an issue at https://github.com/dalibo/ldap2pg/issues with full log.

If you suspect anything is missing in my ldaprc let me know (ldapsearch susccefullly queries the ldap).

@djkube
Copy link
Author

djkube commented May 19, 2019

Thank you so much @bersace!

@djkube djkube closed this as completed May 19, 2019
This was referenced May 16, 2024
Draft
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bersace bersace

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bersace @djkube