https://github.com/tannevaled/slapd-contrib
https://github.com/tannevaled/slapd-contrib
gssapi kerberos openldap passthru plain sasl saslauthd simple-bind
Last synced: 2 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/tannevaled/slapd-contrib
- Owner: tannevaled
- License: bsd-3-clause
- Created: 2017-03-22T11:34:17.000Z (about 8 years ago)
- Default Branch: master
- Last Pushed: 2017-04-24T09:51:34.000Z (about 8 years ago)
- Last Synced: 2025-01-22T03:29:07.023Z (4 months ago)
- Topics: gssapi, kerberos, openldap, passthru, plain, sasl, saslauthd, simple-bind
- Size: 8.79 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# slapd-contrib
The purpose is to be able to bind simple to the LDAP directory while having the userPassword stored in Kerberos
## Kerberos
### Installation
### Configuration
```
[libdefaults]
default_realm = ..
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 1000000
# default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
# default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
# permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
.. = {
kdc = kdc...:88
admin_server = kdm...:749
default_domain = ..
}
[domain_realm]
... = ..
.. = ..
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
```
## PAM
### Configuration
#### /etc/pam.d/ldap
```
#%PAM-1.0
auth include password-auth
account include password-auth
```
## OpenLDAP
### Installation
####
```
make base
make init
make conf
```
### Configuration
#### /etc/nslcd.conf
```
uri ldap://ldap1... ldap://ldap2...
base dc=,dc=,dc=
```
#### /etc/openldap/ldap.conf
```
URI ldaps://ldap1... ldaps://ldap2...
BASE dc=,dc=,dc=
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
SASL_MECH PLAIN
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
```
#### /etc/openldap/slapd.conf
```
security ssf=1 update_ssf=112 simple_bind=64
# to get administration rights when authenticated with SASL/GSSAPI
authz-regexp "^uid=([^/,]*)/admin,cn=..,cn=GSSAPI,cn=auth" "cn=admin,dc=,dc=,dc="
# to get administration rights when authenticated with SASL/PLAIN
authz-regexp "^uid=([^/,]*),cn=plain,cn=auth" "uid=$1,ou=users,dc=,dc=,dc="
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.exact="cn=admin,dc=,dc=,dc=" manage
by * none
```
### user.ldif
Using the {SASL} prefix in the userPassword attribute let us use simple-bind for compatibility purpose.
cf http://www.lichteblau.com/ldapvi/cyrus-sasl/sysadmin.html
Realms will be passed to saslauthd as part of the saslauthd protocol, however the way each saslauthd module deals with the situation is different (for example, the LDAP plugin allows you to use the realm to query the server, while the rimap and PAM plugins ignore it entirely).
cf https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html
Traditionally, a principal is divided into three parts: the primary, the instance, and the realm. The format of a typical Kerberos V5 principal is primary/instance@REALM.
```
dn: uid=,ou=users,ou=,dc=,dc=
uid:
userPassword: {SASL}
```
## SASL
### Installation
### Configuration
#### /etc/sysconfig/saslauthd
```
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/run/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=pam
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
#FLAGS="-O /etc/saslauthd.conf"
```
#### /etc/sasl2/slapd.conf
```
mech_list: PLAIN
pwcheck_method: saslauthd
saslauthd_path: /run/saslauthd/mux
```
###
```
# systemctl enable saslauthd
# systemctl start saslauthd
```
## Tests
### saslauthd authentication mechanisms
```
# saslauthd -v
saslauthd 2.1.26
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap httpform
```
### slapd supported SASL Mechanisms
```
# ldapsearch -x -H ldapi:/// -b '' -LLL -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
```
### SASL / GSSAPI
```
# kinit @LABOS..
Password for @LABOS..:
# ldapvi -Z -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: @LABOS..
SASL SSF: 56
SASL data security layer installed.
162 entries read
No changes.
```
### SASL / PLAIN
```
# ldapvi -Z -Y PLAIN -U
SASL/PLAIN authentication started
--- SASL login
Type M-h for help on key bindings.
authorization name:
authentication name:
password: **********
SASL username:
SASL SSF: 0
162 entries read
No changes.
```
### SASL / SIMPLE-BIND PASSTHRU
```
# ldapvi -Z -D uid=,ou=users,ou=,dc=,dc=
--- Login
Type M-h for help on key bindings.
Filter or DN: uid=,ou=users,ou=,dc=,dc=
Password: **********
162 entries read
No changes.
```