Hey everybody,
I am trying to use nsswitch information from my openldap server which allows both simple-bind and SASL/GSSAPI authentication. My DIT in openldap works fine, as far as acls is concerned, my KDC works fine, I am able to kinit to any user I wish, and everything works just fine. My nss_ldap works as expected when I use my special account with simple-bind authentication, but when I try to use SASL/GSSAPI authentication instead, I cannot make things work (The truth is that I am not quite sure what the correct configuration would be, and googling it did not yield any obvious answers either...).
So here is what my /usr/local/etc/nss_ldap.conf looks like (as far as sasl is concerned. Everything else is omitted since it works with simple-bind authentication):
where nss_auth_client is my krb5 principal, and /etc/nss_auth_client.key contain's this principal's keytab. I've tried with the sasl_secprops option commented out with no luck either.
I am able to
Anyone know how to accomplish SASL/GSSAPI authentication on nss_ldap? My versions are as follows:
I use the BASE installation's heimdal, and:
Thank you all for your time in advance,
mamalos
I am trying to use nsswitch information from my openldap server which allows both simple-bind and SASL/GSSAPI authentication. My DIT in openldap works fine, as far as acls is concerned, my KDC works fine, I am able to kinit to any user I wish, and everything works just fine. My nss_ldap works as expected when I use my special account with simple-bind authentication, but when I try to use SASL/GSSAPI authentication instead, I cannot make things work (The truth is that I am not quite sure what the correct configuration would be, and googling it did not yield any obvious answers either...).
So here is what my /usr/local/etc/nss_ldap.conf looks like (as far as sasl is concerned. Everything else is omitted since it works with simple-bind authentication):
Code:
sasl_secprops maxssf=0
# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
use_sasl on
sasl_authid nss_auth_client
krb5_ccname FILE:/etc/nss_auth_client.key
where nss_auth_client is my krb5 principal, and /etc/nss_auth_client.key contain's this principal's keytab. I've tried with the sasl_secprops option commented out with no luck either.
$ ktutil -k /etc/nss_auth_client.key list
Code:
/etc/nss_auth_client.key:
Vno Type Principal
1 des-cbc-md5 [email]nss_auth_client@EXAMPLE.COM[/email]
1 des-cbc-md4 [email]nss_auth_client@EXAMPLE.COM[/email]
1 des-cbc-crc [email]nss_auth_client@EXAMPLE.COM[/email]
1 aes256-cts-hmac-sha1-96 [email]nss_auth_client@EXAMPLE.COM[/email]
1 des3-cbc-sha1 [email]nss_auth_client@EXAMPLE.COM[/email]
1 arcfour-hmac-md5 [email]nss_auth_client@EXAMPLE.COM[/email]
$ ls -lrta /etc/nss_auth_client.key
Code:
-rw-r--r-- 1 root wheel - 410 18 Mar 15:24 /etc/nss_auth_client.key
I am able to
$ kinit -t /etc/nss_auth_client.key nss_auth_client
without any issues and klist shows:
Code:
Credentials cache: FILE:/tmp/krb5cc_0
Principal: nss_auth_client@EXAMPLE.COM
Issued Expires Principal
Mar 18 15:38:33 Mar 19 01:37:11 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Anyone know how to accomplish SASL/GSSAPI authentication on nss_ldap? My versions are as follows:
$ ls -lrta /var/db/pkg | egrep -i
Code:
drwxr-xr-x 2 root wheel - 512 13 Dec 09:30 cyrus-sasl-2.1.23_1/
drwxr-xr-x 2 root wheel - 512 13 Dec 09:31 openldap-sasl-client-2.4.23/
drwxr-xr-x 2 root wheel - 512 13 Dec 09:31 nss_ldap-1.265_4/
I use the BASE installation's heimdal, and:
$ uname -a
Code:
FreeBSD lala 8.1-STABLE FreeBSD 8.1-STABLE #1: Mon Sep 20 13:33:27 EEST 2010 root@lala:/usr/obj/usr/src/sys/FILESRV amd64
Thank you all for your time in advance,
mamalos