Comments (8)
Yes, GSSAPI is missing from ldap2pg 6.0. go-ldap just released with GSSAPI support.
However, I don't know how to reproduce kerberose auth in development environment and CI. Any help accepted !
from ldap2pg.
Do you want ldap2pg to ask you the Kerberos password ? Do you use kinit or something like that ?
from ldap2pg.
Thank you for your very quick feedback!
I am using keytabs for functional users such as the one used to execute ldap2pg
.
It seems that authentication based on a keytab is supported by go-ldap: https://github.com/go-ldap/ldap/blob/56e5759aadc48129a33935b9de05b17151c1172e/gssapi/client.go#L31 If it can be used, this would be perffect in my case.
I will gladly help with the testing. Regarding the setup of kerberos in the development environment, I am not sure what would be needed. Not sure if I could help there but if I can, I would do.
Thank you.
from ldap2pg.
samba support for KDC is very experimental. Thus, implementing this is completely wild.
How do you configure ldapsearch to authenticate to AD using GSSAPI/Kerberos ?
from ldap2pg.
I am using MIT Kerberos (no AD, no Samba involved). The set-up I have for such an environment is the following on Debian 12:
apt-get install krb5-user cat /etclibsasl2-modules-gssapi-mit
- Assuming that the user authorised to connect to the LDAP is called proxyuser, retrieve the keytab for that user from the Kerberos admin server and place them in a file, e.g.
/etc/certificates/proxyuser.keytab
- Configure
/etc/krb5.conf
(the names of the Kerberos KDC servers are retrieved via DNS in that case)
[libdefaults]
default_realm = XXXX.YYY.ZZ
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
default_ccache_name = FILE:/tmp/krb5cc_%{uid}
renew_lifetime = 5d
dns_canonicalize_hostname = false
[domain_realm]
.xxxx.yyy.zz = XXXX.YYY.ZZ
[logging]
kdc = SYSLOG:INFO:DAEMON
- Retrieve a Kerberos ticket by authenticating with the keytab previously placed on the machine:
kinit -kt /etc/certificates/proxyuser.keytab proxyuser
whereproxyuser
is the name of the user allowed to query the ldap server and list its content - Issue the LDAP search:
ldapsearch -Y GSSAPI -U proxyuser -H ldaps://krbldap-001.xxxx.yyy.zz -b "ou=aaaa, dc=xxxx,dc=yyy,dc=zz"
If the ldaprc
file put in my first post is placed in the same folder from which the ldapsearch
command is issued, then the following command would be enough: ldapsearch -Y GSSAPI -H ldaps://krbldap-001.xxxx.yyy.zz -b "ou=aaaa, dc=xxxx,dc=yyy,dc=zz"
If I understand correctly what the library you referred to is doing, the kinit
part would not be needed as it would be handled by the library automatically from those variables: username, realm, keytabPath, krb5confPath
from ldap2pg.
Hi @phasenohr . Thanks for the details. Trying to authenticate ldapsearch against Samba with GSSAPI with Kerberos:
$ kinit -V -kt $PWD/administrator.keytab administrator
Using default cache: /tmp/krb5cc_1000
Using principal: [email protected]
Using keytab: /home/bersace/src/dalibo/ldap2pg/administrator.keytab
Authenticated to Kerberos v5
$ ldapsearch -U [email protected] -H ldaps://samba1.ldap2pg.docker -l 5 -Y GSSAPI -b cn=users,dc=bridoulou,dc=fr -s sub '(|(cn=owners)(cn=readers)(cn=writers))' member cn
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)
I guess Samba AD needs to have itself declared as a server in one database. I don't know how or what. I have rdns = false
and DNS resolution for my docker container.
from ldap2pg.
Hi @bersace
It probably means that the LDAP server is missing a keytab authorising it to authenticate through Kerberos.
With MIT Kerberos, you would need to create a keytab for the SPN ldap/fqdn@REALM so in your example, this would be probably ldap/[email protected]
but I do not know how you would configure that in Samba AD.
Also, you might need to update the [domain_realm]
section on your client to match .ldap2pg.docker
domain with BRIDOULOU.FR
realm
from ldap2pg.
cf. #268 for reference.
from ldap2pg.
Related Issues (20)
- ERROR: ldap2pg.script: TypeError: unhashable type: 'dict' HOT 2
- Configure role per database HOT 2
- ldap2pg does not synchronize when using {cn} in name or parent HOT 2
- Is predefined role pg_signal_backend required when.using unpriv user? HOT 3
- Complex AD configuration V6.0 HOT 1
- Configure Python Version of ldap2pg v5.9 HOT 8
- Match different Active Directories HOT 5
- ldap2pg cron.d HOT 3
- endless loop when trying to create roles with parent HOT 3
- ldap2pg 6 in official postgres-common repository HOT 2
- Drop schema cascade? HOT 1
- Issue with Applying Privileges for All Schemas HOT 8
- Connect to different Postgres Servers
- WARN Unexpected DN HOT 11
- Privileges for PostgreSQL procedures HOT 7
- fallback_owner HOT 5
- Typo in documentation
- Runtime error : invalid memory address or nil pointer dereference HOT 2
- Requesting a new build of 5.xversion
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ldap2pg.