concept: LDAP resolver with Kerberos auth
Using Kerberos Authentication in LDAP-Resolver (#770)
This was done using Ubuntu 22.04, YMMV
-
Install packages:
realmd krb5-user -
Set nameserver to Domain Controller (if not done automatically):
netplan set ethernets.eth0.nameservers.addresses=[<DC IP>]netplan set ethernets.eth0.nameservers.search=[<Domain>]netplan apply
It is a good idea to set the timeserver to the DC as well.
Also make sure the privacyIDEA host and the DCs are resolvable via reverse DNS (or just add<IP> <FQDN>in/etc/hosts) so that-
$ host <IP>and$ host <FQDN>both work
-
Join the Domain[1]:
realm join <Domain> -U <Domain-Admin>This will also install additional packages (sssd-tools adcli sssd libnss-sss libpam-sss) -
Configure Kerberos realms[2]:
- Add to
/etc/krb5.conf:... [realms] <REALM> = { kdc = <DC IP> admin_server = <DC IP> } [domain_realm] .<domain name> = <REALM> <domain name> = <REALM> ...default_realm = <REALM>should already be set
- Add to
-
Check with
realm listif the Domain join was successfull. You should now be able to authenticate against the AD:kinit <AD-user> -
Create a keytab file for authenticating the service account:
- Linux[2]:
$ ktutilktutil: addent -password -p <AD Service Account>@<REALM> -k 1 -e AES256-SHA1- Check with
ktutil: list ktutil: wkt <Service Account>.keytab
- Windows (PowerShell)[3]:
-
ktpass -out <Service Account>.keytab -mapUser <AD Service Account>@<REALM> +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ <AD Service Account>@<REALM>(Attention: this resets the password of the user account to a randomized password!)
-
- You can check the keytab file with:
$ klist -kte <keytab file>
- To check if the authentication works with the keytab:e
$ kinit -kt <keytab file> <AD Service Account>@<REALM>-
$ klistshould then show a valid tgt
- The keytab file should have only read/write permissions for the user. Make sure it is readable by the privacyidea/webserver user.
- Linux[2]:
After installing privacyIDEA You need to add the gssapi package to the virtual environment:
root@ubuntu2204:~# source /opt/privacyidea/bin/activate
(privacyidea) root@ubuntu2204:~# pip install gssapi
Note: There is currently no
gssapiwheel package for Linux which means that it needs to be compiled locally. The following packages are needed to build it:libkrb5-dev,python3-devandgcc
There are actually two different processes involved:
- The Service Account which is required to query the AD needs to be authenticated (LDAP Bind)
- We need to check the users password somehow in case the
otppin=userstorepolicy is set (and for login at the WebUI)
For the first process we need an authenticated user (kinit). This also works with a keytab file.
For an authenticated user (credentials in cache file: klist) we can use:
from ldap3 import Server, Connection, Tls, SASL, KERBEROS
import ssl
tls = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1_2)
server = Server(HOSTNAME, use_ssl=True, tls=tls)
c = Connection(server, authentication=SASL, sasl_mechanism=KERBEROS)
c.bind()
print(c.extend.standard.who_am_i())And with a keytab file:
from ldap3 import Server, Connection, Tls, SASL, KERBEROS
import ssl
tls = Tls(validate=ssl.CERT_NONE, version=ssl.PROTOCOL_TLSv1_2)
server = Server(HOSTNAME, use_ssl=True, tls=tls)
c = Connection(server, user='<service>@<DOMAIN>', authentication=SASL, sasl_mechanism=KERBEROS,
cred_store={'client_keytab': '/path/to/keytab/file'})
c.bind()
print(c.extend.standard.who_am_i())