concept: LDAP resolver with Kerberos auth
Using Kerberos Authentication in LDAP-Resolver (#770)
This was done using Ubuntu 22.04, YMMV
-
Install packages:
realmd krb5-user
-
Set nameserver to Domain Controller (if not done automatically):
netplan set ethernets.eth0.nameservers.addresses=[<DC IP>]
netplan set ethernets.eth0.nameservers.search=[<Domain>]
netplan apply
It is a good idea to set the timeserver to the DC as well.
Also make sure the privacyIDEA host and the DCs are resolvable via reverse DNS (or just add<IP> <FQDN>
in/etc/hosts
) so that-
$ host <IP>
and$ host <FQDN>
both work
-
Join the Domain[1]:
realm join <Domain> -U <Domain-Admin>
This will also install additional packages (sssd-tools adcli sssd libnss-sss libpam-sss
) -
Configure Kerberos realms[2]:
- Add to
/etc/krb5.conf
:... [realms] <REALM> = { kdc = <DC IP> admin_server = <DC IP> } [domain_realm] .<domain name> = <REALM> <domain name> = <REALM> ...
default_realm = <REALM>
should already be set
- Add to
-
Check with
realm list
if the Domain join was successfull. You should now be able to authenticate against the AD:kinit <AD-user>
-
Create a keytab file for authenticating the service account:
- Linux[2]:
$ ktutil
ktutil: addent -password -p <AD Service Account>@<REALM> -k 1 -e AES256-SHA1
- Check with
ktutil: list
ktutil: wkt <Service Account>.keytab
- Windows (PowerShell)[3]:
-
ktpass -out <Service Account>.keytab -mapUser <AD Service Account>@<REALM> +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ <AD Service Account>@<REALM>
(Attention: this resets the password of the user account to a randomized password!)
-
- You can check the keytab file with:
$ klist -kte <keytab file>
- To check if the authentication works with the keytab:e
$ kinit -kt <keytab file> <AD Service Account>@<REALM>
-
$ klist
should then show a valid tgt
- The keytab file should have only read/write permissions for the user. Make sure it is readable by the privacyidea/webserver user.
- Linux[2]:
After installing privacyIDEA You need to add the gssapi
package to the virtual environment:
root@ubuntu2204:~# source /opt/privacyidea/bin/activate
(privacyidea) root@ubuntu2204:~# pip install gssapi
Note: There is currently no
gssapi
wheel package for Linux which means that it needs to be compiled locally. The following packages are needed to build it:libkrb5-dev
,python3-dev
andgcc
There are actually two different processes involved:
- The Service Account which is required to query the AD needs to be authenticated (LDAP Bind)
- We need to check the users password somehow in case the
otppin=userstore
policy is set (and for login at the WebUI)
For the first process we need an authenticated user (kinit
). This also works with a keytab file.
For an authenticated user (credentials in cache file: klist
) we can use:
from ldap3 import Server, Connection, Tls, SASL, KERBEROS
import ssl
tls = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1_2)
server = Server(HOSTNAME, use_ssl=True, tls=tls)
c = Connection(server, authentication=SASL, sasl_mechanism=KERBEROS)
c.bind()
print(c.extend.standard.who_am_i())
And with a keytab file:
from ldap3 import Server, Connection, Tls, SASL, KERBEROS
import ssl
tls = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1_2)
server = Server(HOSTNAME, use_ssl=True, tls=tls)
c = Connection(server, user='<service>@<DOMAIN>', authentication=SASL, sasl_mechanism=KERBEROS,
cred_store={'client_keytab': '/path/to/keytab/file'})
c.bind()
print(c.extend.standard.who_am_i())