Re: Need help in nslcd setup for kerberoes+ldap

["Raviteja Bailapudi" <rbailapu [at] in.ibm.com>]

Hi Bill

 

Thank you so much for quick reply.I could progress in getting the nslcd working with GSSAPI to fetch the LDAP user details on a debian desktop.

 

But,now i am trying to get the similar setup working on an embedded system, and using the same configuration files, nslcd on embedded system fails to bind to LDAP server.

 

Here is nslcd trace on my embedded system:

nslcd: [8b4567] DEBUG: connection from pid=3561 uid=0 gid=0

nslcd: [8b4567] <passwd="tom"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=tom))")

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_initialize(ldap://raspberrypi)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_rebind_proc()

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_sasl_bind_s(NULL,"GSSAPI",NULL) (uri="ldap://raspberrypi")

nslcd: [8b4567] <passwd="tom"> failed to bind to LDAP server ldap://raspberrypi: SASL bind in progress: SASL(0): successful result:

nslcd: [8b4567] <passwd="tom"> DEBUG: ldap_unbind()

nslcd: [8b4567] <passwd="tom"> no available LDAP server found, sleeping 1 seconds

 

Below is my trace on working debian client :

 

nslcd: [8b4567] DEBUG: connection from pid=370 uid=0 gid=0

nslcd: [8b4567] <passwd="*"> request denied by validnames option

nslcd: [7b23c6] DEBUG: connection from pid=370 uid=0 gid=0

nslcd: [7b23c6] <passwd="tom"> DEBUG: myldap_search(base="dc=example,dc=com", filter="(&(objectClass=posixAccount)(uid=tom))")

nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_initialize(ldap://raspberrypi)

nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_rebind_proc()

nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3)

nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_DEREF,0)

nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0)

nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0)

nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0)

nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_OFF)

nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON)

nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_sasl_interactive_bind_s(NULL,"GSSAPI") (uri="ldap://raspberrypi")

nslcd: [7b23c6] <passwd="tom"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <passwd="tom"> DEBUG: do_sasl_interact(): were asked for sasl_authzid but we don't have any

nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_result(): uid=tom,ou=people,dc=example,dc=com

nslcd: [7b23c6] <passwd="tom"> (re)loading /etc/nsswitch.conf

nslcd: [7b23c6] <passwd="tom"> DEBUG: ldap_result(): end of results (1 total)

 

I am trying to understand why nslcd calls 'ldap_sasl_interactive_bind_s' in debian client setup and calls ' ldap_sasl_bind_s'  in case of my embedded system ?

 

Is it the reason for nslcd for getting a bind failure ?

 

Here is my nslcd.conf :

  root@mysystem:~# cat /etc/nslcd.conf

  uid root

  gid root

  uri ldap://raspberrypi

  base dc=example,dc=com

  scope sub

 

  ldap_version 3

  sasl_mech GSSAPI

  krb5_ccname FILE:/run/localhost.tgt

  referrals   off

  pagesize 1000

 

Thanks and Regards,
Raviteja Bailapudi
IBM Systems &Technology Lab, Firmware Development,

 

 

----- Original message -----
From: Bill MacAllister <whm@dropbox.com>
Sent by: "nss-pam-ldapd-users" <nss-pam-ldapd-users-bounces+rbailapu=in.ibm.com@lists.arthurdejong.org>
To: nss-pam-ldapd-users@lists.arthurdejong.org
Cc:
Subject: Re: Need help in nslcd setup for kerberoes+ldap
Date: Thu, Nov 29, 2018 2:49 AM
 

On 11/28/18 7:06 AM, Raviteja Bailapudi wrote:
> Hi
> I have working a setup of (LDAPSEARCH+GSSAPI) and was able to
> successfully get the ldap user details using the ldapseach after
> getting the tokens using Kinit.
> Now, i am trying to replicate the similar client setup using pam_krb5
> and nslcd.Can you please help by providing a sample configuration for
> nslcd(which uses GSSAPI and krb5_ccname) ?
krb5_ccname needs to point to a valid Kerberos ticket cache.  Here are
the relevant authorization bits from our nslcd.conf:

sasl_mech GSSAPI
krb5_ccname FILE:/var/run/host.tgt

We use a systemd unit file like the following to maintain that ticket cache.

[Unit]
Description=Maintain Localhost Kerberos Ticket Cache

[Service]
ExecStart=/usr/bin/k5start -L -K 6 -l 10h -f /etc/krb5.keytab \
     -k /run/localhost.tgt host/somehost.com

[Install]
WantedBy=multi-user.target

Basically it just makes sure that k5start is running.
> Do still we require bind_dn and bind_passwd for nslcd(while using
> GSSAPI method for authentication) ?
No, a valid keytab file is sufficient.
> And how would i generate the content for krb5_ccname?
See above.


Bill

--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/

 

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
https://lists.arthurdejong.org/nss-pam-ldapd-users/