GSSAPI authentication w/ and w/o rDNS resolution

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

We are working on a FreeIPA infrastructure, but we are facing an issue regarding GSSAPI authentication against 389ds. Our infrastructure is currently moving from enabled to disabled reverse DNS resolution on Kerberos clients. We are also using load-balanced DNS aliases and, as a consequence, nodes of distributed services must provide keys for both a canonical service principal and a localhost service principal.

This setup is similar to the one commonly used for HA proxies, which is described in the 389ds' documentation[1].

We configured the keytab accordingly (ipa01.example.net is the FreeIPA node and ldap.example.net is the load-balanced alias):

KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   1 06/30/2020 10:24:28 ldap/ipa01.example.net@xxxxxxxxxxx
   1 06/30/2020 10:24:28 ldap/ipa01.example.net@xxxxxxxxxxx
   1 06/30/2020 11:18:43 ldap/ldap.example.net@xxxxxxxxxxx
   1 06/30/2020 11:18:43 ldap/ldap.example.net@xxxxxxxxxxx

SASL/GSSAPI authentication works when connecting to ipa01.example.net, or ldap.example.net but only if [libdefaults].rdns=true in /etc/kbr5.conf. When rDNS resolution is disabled, authentication doesn't work any more:

$ ldapwhoami -QY GSSAPI -H ldaps://ldap.example.net
ldap_sasl_interactive_bind_s: Invalid credentials (49)

The ticket me@xxxxxxxxxxx->ldap/ldap.example.net@xxxxxxxxxxx is in the ccache, but 389ds rejects it even though the matching key is available in its keytab.

It seems 389ds is checking the incoming ticket against the "nsslapd-localhost" parameter, and rejects it if they are not matching:

dn: cn=config
nsslapd-localhost: ipa01.example.net

Setting "nsslapd-localhost" to "ldap.example.net" fixed this issue, but it causes authentication to ldap/ipa01.example.net@xxxxxxxxxxx to stop working. Also it is not possible to have multiple "nsslapd-localhost" entries.

Is there a way to disable checking against "nsslapd-localhost" to allow authentication against any key from the configured keytab (we use 389ds version 1.3.10.2)?

Julien Rische
CERN


[1] https://directory.fedoraproject.org/docs/389ds/howto/howto-loadbalance-gssapi.html
_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux