Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I get the below error when attempting to authenticate to LDAP via SASL/GSSAPI/Kerberos (Ubuntu Server 14.04).
Code:
user@hostname:/$ sudo kinit -p user
user@hostname:/$ sudo klist -f
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user@DOMAIN
Valid starting Expires Service principal
16/02/15 16:53:45 17/02/15 04:53:45 krbtgt/DOMAIN@DOMAIN
renew until 17/02/15 16:53:45, Flags: PRI
user@hostname:/$ sudo ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Other (e.g., implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Permission denied)
An existing post with current configuration exists here.
I can successfully use Kerberos functions, and can also use the testsaslauthd and sasl-sample-{client|server} methods. I am certain the problem is in the configuration of LDAP.
Articles suggest that this is a keytab access problem but I have ruled this out; the correct export line is in the slapd script, the correct permissions are set on the file, the correct path is valid in the apparmor profile, and I can see from debugging that the principal ldap/fqdn@DOMAIN is used and authenticated correctly.
I have increased the logging levels of slapd and run through a standard test. Looking at the output in the syslog, I can see all the authentication up to the point that it looks for the user mapped to the GSSAPI dn.
Then something interesting appears:
Code:
Feb 18 15:18:45 hostname slapd[2050]: ==> sasl_bind: dn="" mech=GSSAPI datalen=593
Feb 18 15:18:45 hostname slapd[2050]: SASL [conn=1001] Failure: GSSAPI Error: An invalid name was supplied (Permission denied)
Feb 18 15:18:45 hostname slapd[2050]: send_ldap_result: conn=1001 op=0 p=3
Feb 18 15:18:45 hostname slapd[2050]: send_ldap_result: err=80 matched="" text="SASL(-1): generic failure: GSSAPI Error: An invalid name was supplied (Permission denied)"
Feb 18 15:18:45 hostname slapd[2050]: send_ldap_response: msgid=1 tag=97 err=80
Feb 18 15:18:45 hostname slapd[2050]: <== slap_sasl_bind: rc=80
If I am reading this right, the "invalid name" is because the dn is blank. I am assuming this is a fault of the olcAuthzRegexp property not correctly mapping the GSSAPI account to the LDAP account.
Here is what I have tried:
Code:
olcAuthzRegexp: {0}uid=([^,]*),cn=domain,cn=gssapi,cn=auth cn=$1,ou=Users,dc=hostname,dc=domain
olcAuthzRegexp: {1}uid=([^,]*),cn=DOMAIN,cn=gssapi,cn=auth cn=$1,ou=Users,dc=hostname,dc=domain
olcAuthzRegexp: {2}uid=([^,]*),cn=gssapi,cn=auth cn=$1,ou=Users,dc=hostname,dc=domain
OR
olcAuthzRegexp: {0}uid=([^,]*),cn=([^,]*),cn=gssapi,cn=auth cn=$1,ou=Users,dc=hostname,dc=$2
olcAuthzRegexp: {2}uid=([^,]*),cn=gssapi,cn=auth cn=$1,ou=Users,dc=hostname,dc=domain
OR
olcAuthzRegexp: {0}uid=([^,]*)(,cn=domain)?,cn=gssapi,cn=auth cn=$1,ou=Users,dc=hostname,dc=domain
None of these appear to work.
How can I inspect/debug what the dn passed to openldap by GSSAPI actually was?
I was concerned that the ldap/fqdn@DOMAIN principal was not being correctly mapped due to the Kerberos principals being stored separately to the LDAP User accounts, so I added an additional entry to correct the mapping.
So if you need to figure out the validity of your expressions, that's how. It doesn't help me identify whether this is actually what openldap is doing, or how far through the process it gets before an error, but it helps rule out a possible problem.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.