I got it working Kerberos 5 authentication in 389-console for standard user accounts. none of the users Ive tested with have password fields in the LDAP database they are only authenticating via Kerberos through PAM. why is this a big deal the 389-console does not support SASL so GSSAPI doesn't work either. I had to implement mod_auth_pam "yum install -y mod_auth_pam.x86_64" Then I had to configure pam_passthru http://www.port389.org/docs/389ds/howto/howto-pam-pass-through.html (by the way I have some notes on things that should be revised on that page) Then I had to modify two config files. listed below in unified diffs next there are several ACI's that needed to be altered to provide the users with the required permissions those I'm still working out. here are the two files that need to be modified " --- /etc/dirsrv/admin-serv/httpd.conf.bak 2013-08-20 15:34:35.000000000 -0400 +++ /etc/dirsrv/admin-serv/httpd.conf 2015-03-15 13:59:05.431490104 -0400 @@ -134,6 +134,9 @@ LoadModule restartd_module /usr/lib64/dirsrv/modules/mod_restartd.so LoadModule nss_module /usr/lib64/httpd/modules/libmodnss.so LoadModule admserv_module /usr/lib64/dirsrv/modules/mod_admserv.so +LoadModule auth_pam_module /usr/lib64/httpd/modules/mod_auth_pam.so +LoadModule auth_sys_group_module /usr/lib64/httpd/modules/mod_auth_sys_group.so + ### Section 2: 'Main' server configuration # " " --- /etc/dirsrv/admin-serv/admserv.conf.bak 2013-08-20 15:34:35.000000000 -0400 +++ /etc/dirsrv/admin-serv/admserv.conf 2015-03-15 12:45:38.906535271 -0400 @@ -74,6 +74,8 @@ AuthUserFile /etc/dirsrv/admin-serv/admpw AuthType basic AuthName "Admin Server" + AuthPAM_Enabled on + AuthPAM_FallThrough on Require valid-user Order allow,deny Allow from all @@ -84,6 +86,8 @@ AuthUserFile /etc/dirsrv/admin-serv/admpw AuthType basic AuthName "Admin Server" + AuthPAM_Enabled on + AuthPAM_FallThrough on Require valid-user AdminSDK on ADMCgiBinDir /usr/lib64/dirsrv/cgi-bin @@ -97,6 +101,8 @@ AuthUserFile /etc/dirsrv/admin-serv/admpw AuthType basic AuthName "Admin Server" + AuthPAM_Enabled on + AuthPAM_FallThrough on Require valid-user AdminSDK on ADMCgiBinDir /usr/lib64/dirsrv/cgi-bin @@ -111,6 +117,8 @@ AuthUserFile /etc/dirsrv/admin-serv/admpw AuthType basic AuthName "Admin Server" + AuthPAM_Enabled on + AuthPAM_FallThrough on Require valid-user Order allow,deny Allow from all @@ -123,6 +131,8 @@ AuthUserFile /etc/dirsrv/admin-serv/admpw AuthType basic AuthName "Admin Server" + AuthPAM_Enabled on + AuthPAM_FallThrough on Require valid-user ## turn off the password pipe when using mod_restartd AdminSDK off " On Sun, Mar 15, 2015 at 12:39 PM, Paul Robert Marino <prmarino1@xxxxxxxxx> wrote: > No thats not it at all. that already works for users authenticating > via SASL GSSAPI > This is a legacy LDAPv2 simple bind with TLS instead of SSL. > SASL does not apply here from what I can see. > it looks like the username and password are being passed but with the > the kerberos principal as the username. so instead I'm going to > reattempt this via an other route utilizing PAM. > > > > > On Fri, Mar 13, 2015 at 11:58 AM, Mark Reynolds <mareynol@xxxxxxxxxx> wrote: >> >> >> On 03/11/2015 05:48 PM, prmarino1@xxxxxxxxx wrote: >>> >>> Update I got pulled away on something else but there is progress. >>> >>> I tried the Apache Kerberos 5 auth module initial auth worked but then it >>> went back to LDAP error 32 because it looks like it passed >>> <username>@<realm> to the ldap server as the username. Which is something I >>> knew the module did from past experience with it. >> >> You probably just need to setup your sasl mappings in the Directory Server: >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/configuring-sasl-id-mapping.html >> >> Mark >> >>> >>> I'm going to pick this up again tomorrow morning but I think I have it >>> now I think I have a plan that will work. >>> >>> I'm going to try the apache Pam authentication module which should pass >>> the username along without modification. Then I will configure Pam pass >>> through in 389 server. If I'm right this may do it. As a hacked method. >>> Then if I get it working and people are interested I can write a mini >>> howto. >>> That said if it works it will require a litle more research but I may be >>> able to write a simple to implement RFE so it can attempt GSSAPI auth >>> possibly based on a configuration parameter. >>> >>> Sent from my BlackBerry 10 smartphone. >>> Original Message >>> From: Paul Robert Marino >>> Sent: Wednesday, March 11, 2015 15:06 >>> To: General discussion list for the 389 Directory server project. >>> Subject: Re: GUI console and Kerberos >>> >>> correction it looks like I will need to enable either PAM passthrough >>> or I once i actually configure the real kerberos auth via the module >>> an not my quick test hack >>> I think it may allow forwarding the key via SASL GSSAPI >>> but either way this is good I think im well on my way to figuring it out. >>> >>> >>> >>> >>> >>> On Wed, Mar 11, 2015 at 2:51 PM, Paul Robert Marino <prmarino1@xxxxxxxxx> >>> wrote: >>>> >>>> Ok so here is some progress >>>> i manually added my user name and password in >>>> /etc/dirsrv/admin-serv/admpw using the htpassword command >>>> if i put cn=<username> I get ldap error 32: No such object in the >>>> admin server error log >>>> but if i just put my username in it finds the entry and i get a >>>> different error ldap error 48: Inappropriate authentication >>>> this is making me wonder if saslauthd may help >>>> >>>> On Wed, Mar 11, 2015 at 2:34 PM, Paul Robert Marino <prmarino1@xxxxxxxxx> >>>> wrote: >>>>> >>>>> I know it will probably be a little more complex than that but I think >>>>> it logically should be one of the steps. >>>>> although it doesn't explain how "cn=Directory Manager" works >>>>> but it makes a lot of sense when you see the 401 error from the login >>>>> attempt it comes from the directory specified by >>>>> " >>>>> <Location /admin-serv/authenticate> >>>>> SetHandler user-auth >>>>> AuthUserFile /etc/dirsrv/admin-serv/admpw >>>>> AuthType basic >>>>> AuthName "Admin Server" >>>>> Require valid-user >>>>> Order allow,deny >>>>> Allow from all >>>>> </Location> >>>>> " >>>>> in /etc/dirsrv/admin-serv/admserv.conf >>>>> >>>>> >>>>> >>>>> >>>>> On Wed, Mar 11, 2015 at 2:13 PM, Rich Megginson <rmeggins@xxxxxxxxxx> >>>>> wrote: >>>>>> >>>>>> On 03/11/2015 11:54 AM, Paul Robert Marino wrote: >>>>>>> >>>>>>> Hey every one >>>>>>> I have a question I know at least once in the past i setup the admin >>>>>>> console so it could utilize Kerberos passwords based on a howto I >>>>>>> found once which after I changed jobs I could never find again. >>>>>>> >>>>>>> today I was looking for something else and I saw a mention on the site >>>>>>> about httpd needing to be compiled with http auth support. >>>>>>> well I did a little digging and I found this file >>>>>>> /etc/dirsrv/admin-serv/admserv.conf >>>>>>> >>>>>>> in that file I found a lot of entries that look like this >>>>>>> " >>>>>>> <LocationMatch /*/[tT]asks/[Cc]onfiguration/*> >>>>>>> AuthUserFile /etc/dirsrv/admin-serv/admpw >>>>>>> AuthType basic >>>>>>> AuthName "Admin Server" >>>>>>> Require valid-user >>>>>>> AdminSDK on >>>>>>> ADMCgiBinDir /usr/lib64/dirsrv/cgi-bin >>>>>>> NESCompatEnv on >>>>>>> Options +ExecCGI >>>>>>> Order allow,deny >>>>>>> Allow from all >>>>>>> </LocationMatch> >>>>>>> >>>>>>> " >>>>>>> when I checked /etc/dirsrv/admin-serv/admpw sure enough I found the >>>>>>> Password hash for the admin user. >>>>>>> >>>>>>> So my question is before I wast time experimenting could it possibly >>>>>>> be as simple as changing the auth type to kerberos >>>>>>> http://modauthkerb.sourceforge.net/configure.html >>>>>> >>>>>> >>>>>> I don't know. I don't think anyone has ever tried it. >>>>>> >>>>>>> keep in mind my Kerberos Servers do not use LDAP as the backend. >>>>>>> -- >>>>>>> 389 users mailing list >>>>>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>> >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>> >>> -- >>> 389 users mailing list >>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>> https://admin.fedoraproject.org/mailman/listinfo/389-users >> >> >> -- >> 389 users mailing list >> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-users -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users