I'm trying to move over from OpenLDAP, as it seems that 389-ds is better
supported in the RH family of products.
I've followed the RH docs to configure kerberos[1] as well as checking
to ensure that the auth mechanisms are enabled and I've poked around
with the SASL identity mappings. From what I can tell, all of these are
setup correctly.
However, every single time, the realm isn't populated with the kerberos
realm and instead, only the username is passed. This results in the SASL
mapping that matches the realm (correctly) failing to match:
DEBUG - do_bind - BIND dn="" method=163 version=3
DEBUG - ids_sasl_listmech - sasl library mechs:
GSS-SPNEGO,GSSAPI,DIGEST-MD5,CRAM-MD5,PLAIN,LOGIN,ANONYMOUS
DEBUG - ids_sasl_log - (5): GSSAPI server step 3
DEBUG - ids_sasl_canon_user - (user=kyletest, realm=)
DEBUG - sasl_map_domap - Trying map [Kerberos uid mapping]
DEBUG - sasl_map_check - regex: (.*)@(.*)\.(.*), id: kyletest, didn't match
I've trimmed the above to just the more relevant log lines, but it's
very clear that the value for "realm" is en empty string.
What do I need to do in order to have the realm be made visible to the
SASL mapping component? I've searched the docs, both the fedora and the
pagure bug trackers, searched all of the nsslapd-* attributes to see if
I'm missing something, and tried on both centos8 and F31 (same results).
I don't see anything obvious missing here (but I might just not know
where to be looking).
F31 package: 389-ds-base-1.4.2.11-1.fc31.x86_64
CentOS8 package: 389-ds-base-1.4.2.9-1.module_el8+8314+9ac085f5.x86_64
- Kerberos setup:
[root@ldaptest ~]# cat /etc/sysconfig/dirsrv-app
KRB5_KTNAME=/etc/dirsrv/krb5.keytab
[root@ldaptest ~]# kinit -kt /etc/dirsrv/krb5.keytab ldap/$HOSTNAME
[root@ldaptest ~]# klist
Ticket cache: KCM:0:9594
Default principal: ldap/ldaptest.averageurl.com@xxxxxxxxxxxxxx
- klist after attempting an ldapwhoami:
[root@ldaptest ~]# klist
Ticket cache: KCM:0:39355
Default principal: kyletest@xxxxxxxxxxxxxx
Valid starting Expires Service principal
04/12/2020 10:33:44 04/13/2020 10:33:40
krbtgt/AVERAGEURL.COM@xxxxxxxxxxxxxx
04/12/2020 10:33:51 04/13/2020 10:33:40
ldap/ldaptest.averageurl.com@xxxxxxxxxxxxxx
- SASL mapping:
nsSaslMapRegexString: \(.*\)@\(.*\)\.\(.*\)
nsSaslMapFilterTemplate: (cn=\1)
nsSaslMapBaseDNTemplate: ou=accounts,dc=app,dc=averageurl,dc=com
- Alternative SASL mapping that I'd prefer to use:
nsSaslMapRegexString: \(.*\)@AVERAGEURL\.COM
nsSaslMapFilterTemplate: (cn=\1)
nsSaslMapBaseDNTemplate: ou=accounts,dc=app,dc=averageurl,dc=com
Thanks,
--Kyle
[1]
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/html/administration_guide/configuring_kerberos
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx