Re: symas openldap-packages and kerberos

2022-01-03 Thread Quanah Gibson-Mount 




--On Tuesday, December 21, 2021 10:19 PM +0100 Michael Ströder 
 wrote:



On 12/21/21 19:59, Stefan Kania wrote:

but I think that GSSAPI is not compiled in to thr symas packages.

Not true.

It is linked against heimdal libs from package symas-heimdal-libs:

# ldd /opt/symas/lib/slapd
[..]
libgssapi.so.3 => /opt/symas/lib/libgssapi.so.3 (0x7f6d63716000)
libkrb5.so.26 => /opt/symas/lib/libkrb5.so.26 (0x7f6d6347e000)


An ldd of slapd never tells you whether or not it has GSSAPI support.  What 
mechansisms SASL supports are limited by whatever modules are in 
/opt/symas/lib/sasl2 (for Symas OpenLDAP builds). Similar idea for OS 
builds, etc, just with their paths instead.



Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Antw: [EXT] Re: symas openldap-packages and kerberos

2021-12-30 Thread Ulrich Windl 
>>> Dieter Klünter  schrieb am 18.12.2021 um 07:28 in
Nachricht <20211218072816.769b4...@pink.fritz.box>:
> Am Fri, 17 Dec 2021 16:34:41 +0100
> schrieb Stefan Kania :
> 
>> Hello to all,
>> 
>> I'm trying to get GSSAPI authentication running with the
>> symas-packages. I generated a ldap.keytab file and it's readable for
>> the ldap-user running the slapd. With the Debian-packages I ad:
>> -
>> export KRB5_KTNAME="/path/to/ldap.keytab"
>> -
>> 
>> I don't want to use the system keytab /etc/krb5.keytab. How do I tell
>> slapd from the symas-packages to use my service-keytab?
>> 
>> I try to add to my /etc/default/symas-openldap:
>> -
>> KRB5_KTNAME="/path/to/ldap.keytab
>> -
>> but it's not working.
> 
> /etc/sasl2/slapd.conf
> mech_list: gssapi digest-md5 cram-md5 external
> keytab: /etc/openldap/ldap.keytab
> 
> /etc/ldap.conf
> KRB5_KTNAME=/etc/openldap/krb5.keytab
> SASL_MECH GSSAPI
> SASL_REALM My.SASL.REALM

Dieter,

I wonder: Did you "just know", or is that documented somewhere? If the latter,
maybe also add where you found those pearls of wisdom.

Regards,
Ulrich

> 
> -Dieter
> 
> -- 
> Dieter Klünter | Systemberatungslapd
> GPG Key ID: E9ED159B
> 53°37'09,95"N
> 10°08'02,42"E

Re: symas openldap-packages and kerberos [solved]

2021-12-27 Thread Stefan Kania 
Thank's for all the help, after all it's running. I thing it has
something to do with my Ansible-script an the order I installed the
packages and set up the configuration. I reinstalled all servers from
scratch and now it looks like this:
--
root@ldap01:~# ldapsearch -x -H ldapi:/// -b "" -LLL -s base
supportedSASLMechanisms
dn:
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: SCRAM-SHA-256
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: OTP
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: LOGIN
--
Again, thank you all for the help, several tips got me to the point.

Stefan


Am 17.12.21 um 16:34 schrieb Stefan Kania:
> Hello to all,
> 
> I'm trying to get GSSAPI authentication running with the symas-packages.
> I generated a ldap.keytab file and it's readable for the ldap-user
> running the slapd. With the Debian-packages I ad:
> -
> export KRB5_KTNAME="/path/to/ldap.keytab"
> -
> 
> I don't want to use the system keytab /etc/krb5.keytab. How do I tell
> slapd from the symas-packages to use my service-keytab?
> 
> I try to add to my /etc/default/symas-openldap:
> -
> KRB5_KTNAME="/path/to/ldap.keytab
> -
> but it's not working.
> 
> Stefan
> 
>




smime.p7s
Description: S/MIME Cryptographic Signature

Re: symas openldap-packages and kerberos

2021-12-26 Thread skeletor 



17.12.2021 17:34, Stefan Kania пишет:

Hello to all,

I'm trying to get GSSAPI authentication running with the symas-packages.
I generated a ldap.keytab file and it's readable for the ldap-user
running the slapd. With the Debian-packages I ad:
-
export KRB5_KTNAME="/path/to/ldap.keytab"
-

I don't want to use the system keytab /etc/krb5.keytab. How do I tell
slapd from the symas-packages to use my service-keytab?

I try to add to my /etc/default/symas-openldap:
-
KRB5_KTNAME="/path/to/ldap.keytab
-
but it's not working.

Stefan




Hello.
First of all you should determine, if ENV "KRB5_KTNAME" is using by 
running process. Try this to extract all of ENVs


strings –a /proc//environ

If you cann't see KRB5_KTNAME, you can try to add

export KRB5_KTNAME="/path/to/ldap.keytab"

to startup script

If you see KRB5_KTNAME, thats means symas-openldap doesn't use KRB5_KTNAME.

Re: symas openldap-packages and kerberos

2021-12-23 Thread Dieter Klünter 
Am Wed, 22 Dec 2021 14:27:37 +0100
schrieb Stefan Kania :

> Am 22.12.21 um 13:18 schrieb Dieter Klünter:
> > /* OpenLDAP SASL options */
> > [...]
> > /* OpenLDAP GSSAPI options */
> > #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT  0x6200
> > #define LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL   0x6201  
> 

Did you simply test by ldapwhoami(1) with all available Mechanism?

ldapwhoami -Y gssapi -U dieter -H ldapi:///
SASL/GSSAPI authentication started
SASL username: dieter@MyREALM
SASL SSF: 256
SASL data security layer installed.
dn: 

-Dieter
-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: symas openldap-packages and kerberos

2021-12-22 Thread Stefan Kania 


Am 22.12.21 um 13:01 schrieb Dieter Klünter:
>  You probabely missed the header files, check /usr/include/gssapi/ 
>  and /usr/include/krb5/
>  and probabely some more.
>  and check the libraries in /usr/lib64/sasl2/
>  

I installed libkrb5-dev krb5-multidev libsasl2-dev


I found:
root@ldap25-p02:/opt# ls /usr/include/gssapi/
gssapi_ext.h  gssapi_generic.h  gssapi.h  gssapi_krb5.h  mechglue.h

root@ldap25-p02:/opt# ls /usr/include/krb5/
ccselect_plugin.h  certauth_plugin.h  clpreauth_plugin.h
hostrealm_plugin.h  kadm5_auth_plugin.h  kadm5_hook_plugin.h
kdcpolicy_plugin.h  kdcpreauth_plugin.h  krb5.h  localauth_plugin.h
locate_plugin.h  plugin.h  preauth_plugin.h  pwqual_plugin.h

root@ldap25-p02:/opt# ls /usr/include/sasl/
hmac-md5.h  md5global.h  md5.h  prop.h  sasl.h  saslplug.h  saslutil.h

Recompiled openldap and now I finaly got:

root@ldap25-p02:/opt# ldapsearch -x -H ldapi:/// -b "" -LLL -s base
supportedSASLMechanisms
dn:
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: SCRAM-SHA-256
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN


But still GSSAPI is not showing up on my hosts with the symas-packages
installed.

I checked the installed sasl2 and krb5 packages of the self compiled
system and the system with the symas packages. The lists of the packages
are identically.






smime.p7s
Description: S/MIME Cryptographic Signature

Re: symas openldap-packages and kerberos

2021-12-22 Thread Stefan Kania 


Am 22.12.21 um 13:18 schrieb Dieter Klünter:
> /* OpenLDAP SASL options */
> [...]
> /* OpenLDAP GSSAPI options */
> #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT  0x6200
> #define LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL   0x6201

-- 

I did:

root@ldap25-p02:/opt/openldap-2.6.0# grep -ir X_GSSAPI *

and got... nothing



smime.p7s
Description: S/MIME Cryptographic Signature

Re: symas openldap-packages and kerberos

2021-12-22 Thread Dieter Klünter 
Am Wed, 22 Dec 2021 12:49:54 +0100
schrieb Dieter Klünter :

> Am Wed, 22 Dec 2021 11:38:32 +0100
> schrieb Stefan Kania :
> 
> > Am 22.12.21 um 10:31 schrieb Stefan Kania:  
> > > either it's still a configuration problem, or it's missing. If
> > > it's a configuration problem, how can I fix it?
> > 
> > I now built OpenLDAP from source with this options:
> > --
> > ./configure --enable-argon2 --with-argon2=libargon2
> > --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
> > --enable-backends=mod --disable-perl --disable-ndb --enable-crypt
> > --enable-modules --enable-dynamic --enable-syslog --enable-debug
> > --enable-local --enable-spasswd --disable-sql
> > --prefix=/opt/openldap-current --with-sasl=yes
> > --
> > Still no gssapi :-(. Did I miss something here?  
> [...]
> 
> You probabely missed the header files, check /usr/include/gssapi/ 
> and /usr/include/krb5/
> and probabely some more.

Sorry, just an other hint. Check the sources files
openldap/include/ldap.h

/* OpenLDAP SASL options */
[...]
/* OpenLDAP GSSAPI options */
#define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT  0x6200
#define LDAP_OPT_X_GSSAPI_ALLOW_REMOTE_PRINCIPAL   0x6201

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: symas openldap-packages and kerberos

2021-12-22 Thread Dieter Klünter 
Am Wed, 22 Dec 2021 12:49:54 +0100
schrieb Dieter Klünter :

> Am Wed, 22 Dec 2021 11:38:32 +0100
> schrieb Stefan Kania :
> 
> > Am 22.12.21 um 10:31 schrieb Stefan Kania:  
> > > either it's still a configuration problem, or it's missing. If
> > > it's a configuration problem, how can I fix it?
> > 
> > I now built OpenLDAP from source with this options:
> > --
> > ./configure --enable-argon2 --with-argon2=libargon2
> > --with-cyrus-sasl --with-tls=openssl --enable-overlays=mod
> > --enable-backends=mod --disable-perl --disable-ndb --enable-crypt
> > --enable-modules --enable-dynamic --enable-syslog --enable-debug
> > --enable-local --enable-spasswd --disable-sql
> > --prefix=/opt/openldap-current --with-sasl=yes
> > --
> > Still no gssapi :-(. Did I miss something here?  
> [...]
> 
 You probabely missed the header files, check /usr/include/gssapi/ 
 and /usr/include/krb5/
 and probabely some more.
 and check the libraries in /usr/lib64/sasl2/
 
-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: symas openldap-packages and kerberos

2021-12-22 Thread Dieter Klünter 
Am Wed, 22 Dec 2021 11:38:32 +0100
schrieb Stefan Kania :

> Am 22.12.21 um 10:31 schrieb Stefan Kania:
> > either it's still a configuration problem, or it's missing. If it's
> > a configuration problem, how can I fix it?  
> 
> I now built OpenLDAP from source with this options:
> --
> ./configure --enable-argon2 --with-argon2=libargon2 --with-cyrus-sasl
> --with-tls=openssl --enable-overlays=mod --enable-backends=mod
> --disable-perl --disable-ndb --enable-crypt --enable-modules
> --enable-dynamic --enable-syslog --enable-debug --enable-local
> --enable-spasswd --disable-sql --prefix=/opt/openldap-current
> --with-sasl=yes
> --
> Still no gssapi :-(. Did I miss something here?
[...]

You probabely missed the header files, check /usr/include/gssapi/ 
and /usr/include/krb5/
and probabely some more.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: symas openldap-packages and kerberos

2021-12-22 Thread Stefan Kania 


Am 22.12.21 um 10:31 schrieb Stefan Kania:
> either it's still a configuration problem, or it's missing. If it's a
> configuration problem, how can I fix it?

I now built OpenLDAP from source with this options:
--
./configure --enable-argon2 --with-argon2=libargon2 --with-cyrus-sasl
--with-tls=openssl --enable-overlays=mod --enable-backends=mod
--disable-perl --disable-ndb --enable-crypt --enable-modules
--enable-dynamic --enable-syslog --enable-debug --enable-local
--enable-spasswd --disable-sql --prefix=/opt/openldap-current
--with-sasl=yes
--
Still no gssapi :-(. Did I miss something here?


--
root@ldap-p01:~# ldapsearch -x -H ldapi:/// -b "" -LLL -s base
supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

root@ldap-p01:~# ldd /opt/openldap-current/libexec/slapd
linux-vdso.so.1 (0x7ffc23985000)
libldap.so.2 => /opt/openldap-current/lib/libldap.so.2
(0x7f160e666000)
liblber.so.2 => /opt/openldap-current/lib/liblber.so.2
(0x7f160e657000)
libltdl.so.7 => /lib/x86_64-linux-gnu/libltdl.so.7
(0x7f160e646000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7f160e641000)
libsasl2.so.2 => /lib/x86_64-linux-gnu/libsasl2.so.2
(0x7f160e624000)
libssl.so.1.1 => /lib/x86_64-linux-gnu/libssl.so.1.1
(0x7f160e592000)
libcrypto.so.1.1 => /lib/x86_64-linux-gnu/libcrypto.so.1.1
(0x7f160e2a7000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x7f160e26d000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2
(0x7f160e253000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x7f160e232000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7f160e071000)
/lib64/ld-linux-x86-64.so.2 (0x7f160e872000)

--
As long as I can't see "supportedSASLMechanisms: GSSAPI" I can't get the
kerberos-authentication working.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: symas openldap-packages and kerberos

2021-12-22 Thread Stefan Kania 


Am 21.12.21 um 22:19 schrieb Michael Ströder:
> 
> # ldd /opt/symas/lib/slapd
> [..]
> libgssapi.so.3 => /opt/symas/lib/libgssapi.so.3 (0x7f6d63716000)
> libkrb5.so.26 => /opt/symas/lib/libkrb5.so.26 (0x7f6d6347e000)
I don't know which packages you are using, but can't confirm that:
-
root@ldap01:~# dpkg -l | grep symas
ii  symas-cyrus-sasl-lib   2.1.27-4bullseye1  amd64
   Cyrus-SASL Libraries
ii  symas-heimdal-lib  7.7.0-5bullseye1   amd64
   Heimdal Libraries
ii  symas-libargon2-lib20190702-2bullseye1amd64
   libargon2 libraries
ii  symas-libevent-lib 2.1.12-stable-2bullseye1   amd64
   libevent Libraries
ii  symas-openldap-clients 2.6.0-5bullseye1   amd64
   OpenLDAP Client Binaries
ii  symas-openldap-lib 2.6.0-5bullseye1   amd64
   OpenLDAP Libraries
ii  symas-openldap-server  2.6.0-5bullseye1   amd64
   OpenLDAP Server Binaries
ii  symas-openssl-lib  1.1.1l-2bullseye1  amd64
   OpenSSL Libraries
-

I can find /opt/symas/lib/libgssapi.so.3  but as you can see, in my
"ldd" output, it's not used.
-
root@ldap01:~# ldd /opt/symas/lib/slapd
linux-vdso.so.1 (0x7fff036e)
libldap.so.2 => /opt/symas/lib/libldap.so.2 (0x7f53191c7000)
liblber.so.2 => /opt/symas/lib/liblber.so.2 (0x7f53191b6000)
libltdl.so.7 => /lib/x86_64-linux-gnu/libltdl.so.7
(0x7f53191a7000)
libsystemd.so.0 => /lib/x86_64-linux-gnu/libsystemd.so.0
(0x7f53190f2000)
libsasl2.so.3 => /opt/symas/lib/libsasl2.so.3 (0x7f53190d5000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1
(0x7f531909a000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x7f5319076000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x7f5318eb1000)
libresolv.so.2 => /lib/x86_64-linux-gnu/libresolv.so.2
(0x7f5318e97000)
libssl.so.1.1 => /opt/symas/lib/libssl.so.1.1 (0x7f5318e06000)
libcrypto.so.1.1 => /opt/symas/lib/libcrypto.so.1.1
(0x7f5318b2d000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x7f5318b27000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x7f5318b1a000)
liblzma.so.5 => /lib/x86_64-linux-gnu/liblzma.so.5
(0x7f5318af2000)
libzstd.so.1 => /lib/x86_64-linux-gnu/libzstd.so.1
(0x7f5318a17000)
liblz4.so.1 => /lib/x86_64-linux-gnu/liblz4.so.1
(0x7f53189f4000)
libgcrypt.so.20 => /lib/x86_64-linux-gnu/libgcrypt.so.20
(0x7f53188d4000)
/lib64/ld-linux-x86-64.so.2 (0x7f53193de000)
libgpg-error.so.0 => /lib/x86_64-linux-gnu/libgpg-error.so.0
(0x7f53188ac000)
--
So no gssapi included

My os is:

-
root@ldap01:~# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
VERSION_CODENAME=bullseye
ID=debian
HOME_URL="https://www.debian.org/;
SUPPORT_URL="https://www.debian.org/support;
BUG_REPORT_URL="https://bugs.debian.org/;
-
either it's still a configuration problem, or it's missing. If it's a
configuration problem, how can I fix it?

Stefan



smime.p7s
Description: S/MIME Cryptographic Signature

Re: symas openldap-packages and kerberos

2021-12-21 Thread Michael Ströder 

On 12/21/21 19:59, Stefan Kania wrote:

but I think that GSSAPI is not compiled in to thr symas packages.

Not true.

It is linked against heimdal libs from package symas-heimdal-libs:

# ldd /opt/symas/lib/slapd
[..]
libgssapi.so.3 => /opt/symas/lib/libgssapi.so.3 (0x7f6d63716000)
libkrb5.so.26 => /opt/symas/lib/libkrb5.so.26 (0x7f6d6347e000)

Ciao, Michael.

Re: symas openldap-packages and kerberos

2021-12-21 Thread Stefan Kania 


Am 21.12.21 um 14:14 schrieb Dieter Klünter:
> Am Sat, 18 Dec 2021 07:28:16 +0100
> schrieb Dieter Klünter :
> 
>> Am Fri, 17 Dec 2021 16:34:41 +0100
>> schrieb Stefan Kania :
>>
>>> Hello to all,
>>>
>>> I'm trying to get GSSAPI authentication running with the
>>> symas-packages. I generated a ldap.keytab file and it's readable for
>>> the ldap-user running the slapd. With the Debian-packages I ad:
>> [...]
>> /etc/sasl2/slapd.conf
>> mech_list: gssapi digest-md5 cram-md5 external
>> keytab: /etc/openldap/ldap.keytab
>>
>> /etc/ldap.conf
>> KRB5_KTNAME=/etc/openldap/krb5.keytab
>> SASL_MECH GSSAPI
>> SASL_REALM My.SASL.REALM
> 
> I remeber that I did in the old days some succesful debugging with
> sasl-server and sasl-client.
> 

I will test it, but I  think that GSSAPI is not compiled in to thr symas
packages.

Stefan
> -Dieter
> 
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html
Download der root-Zertifikate: https://www.dgn.de/dgncert/downloads.html





smime.p7s
Description: S/MIME Cryptographic Signature

Re: symas openldap-packages and kerberos

2021-12-21 Thread Dieter Klünter 
Am Sat, 18 Dec 2021 07:28:16 +0100
schrieb Dieter Klünter :

> Am Fri, 17 Dec 2021 16:34:41 +0100
> schrieb Stefan Kania :
> 
> > Hello to all,
> > 
> > I'm trying to get GSSAPI authentication running with the
> > symas-packages. I generated a ldap.keytab file and it's readable for
> > the ldap-user running the slapd. With the Debian-packages I ad:
>[...]
> /etc/sasl2/slapd.conf
> mech_list: gssapi digest-md5 cram-md5 external
> keytab: /etc/openldap/ldap.keytab
> 
> /etc/ldap.conf
> KRB5_KTNAME=/etc/openldap/krb5.keytab
> SASL_MECH GSSAPI
> SASL_REALM My.SASL.REALM

I remeber that I did in the old days some succesful debugging with
sasl-server and sasl-client.

-Dieter


-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: symas openldap-packages and kerberos

2021-12-20 Thread Stefan Kania 
Hi Dieter

Am 18.12.21 um 07:28 schrieb Dieter Klünter:
> /etc/sasl2/slapd.conf
> mech_list: gssapi digest-md5 cram-md5 external
> keytab: /etc/openldap/ldap.keytab
> 
> /etc/ldap.conf
> KRB5_KTNAME=/etc/openldap/krb5.keytab
> SASL_MECH GSSAPI
> SASL_REALM My.SASL.REALM

The configuration is working but for the symas-packages the files must
be in /opt/symas/etc/sasl2 and /opt/symas/etc.

But now the ldap server is GSSAPI missing:
--
root@ldap01:~# ldapwhoami
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Authentication method not supported (7)
additional info: SASL(-4): no mechanism available: Couldn't find
mech GSSAPI
-
The package "libsasl2-modules-gssapi-mit", "libgssapi-krb5-2" and
"symas-cyrus-sasl-lib" are installed but:
-
root@ldap01:~# ldapsearch -x -H ldapi:/// -b "" -LLL -s base
-supportedSASLMechanisms
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
-

Is not showing GSSAPI as valid mechanism. As I said, it's the first time
I try the symas-packages with kerberos: Do I miss something else?

If I do the same on  Debian10 with the Debian OpenLDAP-packages I get:
---
root@provider-stat:~# ldapsearch -x -H ldapi:/// -b "" -LLL -s base
supportedSASLMechanisms
dn:
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: SCRAM-SHA-256
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
---

Stefan





smime.p7s
Description: S/MIME Cryptographic Signature

Re: symas openldap-packages and kerberos

2021-12-17 Thread Dieter Klünter 
Am Fri, 17 Dec 2021 16:34:41 +0100
schrieb Stefan Kania :

> Hello to all,
> 
> I'm trying to get GSSAPI authentication running with the
> symas-packages. I generated a ldap.keytab file and it's readable for
> the ldap-user running the slapd. With the Debian-packages I ad:
> -
> export KRB5_KTNAME="/path/to/ldap.keytab"
> -
> 
> I don't want to use the system keytab /etc/krb5.keytab. How do I tell
> slapd from the symas-packages to use my service-keytab?
> 
> I try to add to my /etc/default/symas-openldap:
> -
> KRB5_KTNAME="/path/to/ldap.keytab
> -
> but it's not working.

/etc/sasl2/slapd.conf
mech_list: gssapi digest-md5 cram-md5 external
keytab: /etc/openldap/ldap.keytab

/etc/ldap.conf
KRB5_KTNAME=/etc/openldap/krb5.keytab
SASL_MECH GSSAPI
SASL_REALM My.SASL.REALM

-Dieter

-- 
Dieter Klünter | Systemberatungslapd
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

symas openldap-packages and kerberos

2021-12-17 Thread Stefan Kania 
Hello to all,

I'm trying to get GSSAPI authentication running with the symas-packages.
I generated a ldap.keytab file and it's readable for the ldap-user
running the slapd. With the Debian-packages I ad:
-
export KRB5_KTNAME="/path/to/ldap.keytab"
-

I don't want to use the system keytab /etc/krb5.keytab. How do I tell
slapd from the symas-packages to use my service-keytab?

I try to add to my /etc/default/symas-openldap:
-
KRB5_KTNAME="/path/to/ldap.keytab
-
but it's not working.

Stefan




smime.p7s
Description: S/MIME Cryptographic Signature