Ok I'll do it as soon as as I'm sure Ive got all the ACI's correct. I think Ill try writing it in markdown I need the practice for some of my projects on github :) On Mon, Mar 16, 2015 at 2:37 PM, Mark Reynolds <mareynol@xxxxxxxxxx> wrote: > Absolutely! > > You can either write a simple doc, and I will port it to MarkDown and put it > on the wiki, or you can write it in MarkDown: > > http://www.port389.org/docs/389ds/howto/howto-write-wiki-page.html > > Thanks, > Mark > > > On 03/16/2015 02:34 PM, Paul Robert Marino wrote: >> >> Is there any interest in me writing a howto on this? >> keep in mind it doesn't break any of the built in functionality but >> just adds the ability to grant users admin privileges and log into the >> the GUI console (389-console) using their Kerberos password which are >> not stored in the LDAP database. >> >> >> >> >> On Sun, Mar 15, 2015 at 4:52 PM, Paul Robert Marino <prmarino1@xxxxxxxxx> >> wrote: >>> >>> I got it working Kerberos 5 authentication in 389-console for standard >>> user accounts. >>> none of the users Ive tested with have password fields in the LDAP >>> database they are only authenticating via Kerberos through PAM. why is >>> this a big deal the 389-console does not support SASL so GSSAPI >>> doesn't work either. >>> >>> >>> >>> I had to implement mod_auth_pam "yum install -y mod_auth_pam.x86_64" >>> Then I had to configure pam_passthru >>> http://www.port389.org/docs/389ds/howto/howto-pam-pass-through.html >>> (by the way I have some notes on things that should be revised on that >>> page) >>> Then I had to modify two config files. listed below in unified diffs >>> next there are several ACI's that needed to be altered to provide the >>> users with the required permissions those I'm still working out. >>> >>> here are the two files that need to be modified >>> " >>> --- /etc/dirsrv/admin-serv/httpd.conf.bak 2013-08-20 >>> 15:34:35.000000000 -0400 >>> +++ /etc/dirsrv/admin-serv/httpd.conf 2015-03-15 13:59:05.431490104 >>> -0400 >>> @@ -134,6 +134,9 @@ >>> LoadModule restartd_module >>> /usr/lib64/dirsrv/modules/mod_restartd.so >>> LoadModule nss_module /usr/lib64/httpd/modules/libmodnss.so >>> LoadModule admserv_module /usr/lib64/dirsrv/modules/mod_admserv.so >>> +LoadModule auth_pam_module /usr/lib64/httpd/modules/mod_auth_pam.so >>> +LoadModule auth_sys_group_module >>> /usr/lib64/httpd/modules/mod_auth_sys_group.so >>> + >>> >>> ### Section 2: 'Main' server configuration >>> # >>> " >>> " >>> --- /etc/dirsrv/admin-serv/admserv.conf.bak 2013-08-20 >>> 15:34:35.000000000 -0400 >>> +++ /etc/dirsrv/admin-serv/admserv.conf 2015-03-15 12:45:38.906535271 >>> -0400 >>> @@ -74,6 +74,8 @@ >>> AuthUserFile /etc/dirsrv/admin-serv/admpw >>> AuthType basic >>> AuthName "Admin Server" >>> + AuthPAM_Enabled on >>> + AuthPAM_FallThrough on >>> Require valid-user >>> Order allow,deny >>> Allow from all >>> @@ -84,6 +86,8 @@ >>> AuthUserFile /etc/dirsrv/admin-serv/admpw >>> AuthType basic >>> AuthName "Admin Server" >>> + AuthPAM_Enabled on >>> + AuthPAM_FallThrough on >>> Require valid-user >>> AdminSDK on >>> ADMCgiBinDir /usr/lib64/dirsrv/cgi-bin >>> @@ -97,6 +101,8 @@ >>> AuthUserFile /etc/dirsrv/admin-serv/admpw >>> AuthType basic >>> AuthName "Admin Server" >>> + AuthPAM_Enabled on >>> + AuthPAM_FallThrough on >>> Require valid-user >>> AdminSDK on >>> ADMCgiBinDir /usr/lib64/dirsrv/cgi-bin >>> @@ -111,6 +117,8 @@ >>> AuthUserFile /etc/dirsrv/admin-serv/admpw >>> AuthType basic >>> AuthName "Admin Server" >>> + AuthPAM_Enabled on >>> + AuthPAM_FallThrough on >>> Require valid-user >>> Order allow,deny >>> Allow from all >>> @@ -123,6 +131,8 @@ >>> AuthUserFile /etc/dirsrv/admin-serv/admpw >>> AuthType basic >>> AuthName "Admin Server" >>> + AuthPAM_Enabled on >>> + AuthPAM_FallThrough on >>> Require valid-user >>> ## turn off the password pipe when using mod_restartd >>> AdminSDK off >>> >>> " >>> >>> On Sun, Mar 15, 2015 at 12:39 PM, Paul Robert Marino >>> <prmarino1@xxxxxxxxx> wrote: >>>> >>>> No thats not it at all. that already works for users authenticating >>>> via SASL GSSAPI >>>> This is a legacy LDAPv2 simple bind with TLS instead of SSL. >>>> SASL does not apply here from what I can see. >>>> it looks like the username and password are being passed but with the >>>> the kerberos principal as the username. so instead I'm going to >>>> reattempt this via an other route utilizing PAM. >>>> >>>> >>>> >>>> >>>> On Fri, Mar 13, 2015 at 11:58 AM, Mark Reynolds <mareynol@xxxxxxxxxx> >>>> wrote: >>>>> >>>>> >>>>> On 03/11/2015 05:48 PM, prmarino1@xxxxxxxxx wrote: >>>>>> >>>>>> Update I got pulled away on something else but there is progress. >>>>>> >>>>>> I tried the Apache Kerberos 5 auth module initial auth worked but >>>>>> then it >>>>>> went back to LDAP error 32 because it looks like it passed >>>>>> <username>@<realm> to the ldap server as the username. Which is >>>>>> something I >>>>>> knew the module did from past experience with it. >>>>> >>>>> You probably just need to setup your sasl mappings in the Directory >>>>> Server: >>>>> >>>>> >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/8.1/html/Administration_Guide/configuring-sasl-id-mapping.html >>>>> >>>>> Mark >>>>> >>>>>> I'm going to pick this up again tomorrow morning but I think I have it >>>>>> now I think I have a plan that will work. >>>>>> >>>>>> I'm going to try the apache Pam authentication module which should >>>>>> pass >>>>>> the username along without modification. Then I will configure Pam >>>>>> pass >>>>>> through in 389 server. If I'm right this may do it. As a hacked >>>>>> method. >>>>>> Then if I get it working and people are interested I can write a mini >>>>>> howto. >>>>>> That said if it works it will require a litle more research but I may >>>>>> be >>>>>> able to write a simple to implement RFE so it can attempt GSSAPI auth >>>>>> possibly based on a configuration parameter. >>>>>> >>>>>> Sent from my BlackBerry 10 smartphone. >>>>>> Original Message >>>>>> From: Paul Robert Marino >>>>>> Sent: Wednesday, March 11, 2015 15:06 >>>>>> To: General discussion list for the 389 Directory server project. >>>>>> Subject: Re: [389-users] GUI console and Kerberos >>>>>> >>>>>> correction it looks like I will need to enable either PAM passthrough >>>>>> or I once i actually configure the real kerberos auth via the module >>>>>> an not my quick test hack >>>>>> I think it may allow forwarding the key via SASL GSSAPI >>>>>> but either way this is good I think im well on my way to figuring it >>>>>> out. >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> On Wed, Mar 11, 2015 at 2:51 PM, Paul Robert Marino >>>>>> <prmarino1@xxxxxxxxx> >>>>>> wrote: >>>>>>> >>>>>>> Ok so here is some progress >>>>>>> i manually added my user name and password in >>>>>>> /etc/dirsrv/admin-serv/admpw using the htpassword command >>>>>>> if i put cn=<username> I get ldap error 32: No such object in the >>>>>>> admin server error log >>>>>>> but if i just put my username in it finds the entry and i get a >>>>>>> different error ldap error 48: Inappropriate authentication >>>>>>> this is making me wonder if saslauthd may help >>>>>>> >>>>>>> On Wed, Mar 11, 2015 at 2:34 PM, Paul Robert Marino >>>>>>> <prmarino1@xxxxxxxxx> >>>>>>> wrote: >>>>>>>> >>>>>>>> I know it will probably be a little more complex than that but I >>>>>>>> think >>>>>>>> it logically should be one of the steps. >>>>>>>> although it doesn't explain how "cn=Directory Manager" works >>>>>>>> but it makes a lot of sense when you see the 401 error from the >>>>>>>> login >>>>>>>> attempt it comes from the directory specified by >>>>>>>> " >>>>>>>> <Location /admin-serv/authenticate> >>>>>>>> SetHandler user-auth >>>>>>>> AuthUserFile /etc/dirsrv/admin-serv/admpw >>>>>>>> AuthType basic >>>>>>>> AuthName "Admin Server" >>>>>>>> Require valid-user >>>>>>>> Order allow,deny >>>>>>>> Allow from all >>>>>>>> </Location> >>>>>>>> " >>>>>>>> in /etc/dirsrv/admin-serv/admserv.conf >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Wed, Mar 11, 2015 at 2:13 PM, Rich Megginson >>>>>>>> <rmeggins@xxxxxxxxxx> >>>>>>>> wrote: >>>>>>>>> >>>>>>>>> On 03/11/2015 11:54 AM, Paul Robert Marino wrote: >>>>>>>>>> >>>>>>>>>> Hey every one >>>>>>>>>> I have a question I know at least once in the past i setup the >>>>>>>>>> admin >>>>>>>>>> console so it could utilize Kerberos passwords based on a howto I >>>>>>>>>> found once which after I changed jobs I could never find again. >>>>>>>>>> >>>>>>>>>> today I was looking for something else and I saw a mention on the >>>>>>>>>> site >>>>>>>>>> about httpd needing to be compiled with http auth support. >>>>>>>>>> well I did a little digging and I found this file >>>>>>>>>> /etc/dirsrv/admin-serv/admserv.conf >>>>>>>>>> >>>>>>>>>> in that file I found a lot of entries that look like this >>>>>>>>>> " >>>>>>>>>> <LocationMatch /*/[tT]asks/[Cc]onfiguration/*> >>>>>>>>>> AuthUserFile /etc/dirsrv/admin-serv/admpw >>>>>>>>>> AuthType basic >>>>>>>>>> AuthName "Admin Server" >>>>>>>>>> Require valid-user >>>>>>>>>> AdminSDK on >>>>>>>>>> ADMCgiBinDir /usr/lib64/dirsrv/cgi-bin >>>>>>>>>> NESCompatEnv on >>>>>>>>>> Options +ExecCGI >>>>>>>>>> Order allow,deny >>>>>>>>>> Allow from all >>>>>>>>>> </LocationMatch> >>>>>>>>>> >>>>>>>>>> " >>>>>>>>>> when I checked /etc/dirsrv/admin-serv/admpw sure enough I found >>>>>>>>>> the >>>>>>>>>> Password hash for the admin user. >>>>>>>>>> >>>>>>>>>> So my question is before I wast time experimenting could it >>>>>>>>>> possibly >>>>>>>>>> be as simple as changing the auth type to kerberos >>>>>>>>>> http://modauthkerb.sourceforge.net/configure.html >>>>>>>>> >>>>>>>>> >>>>>>>>> I don't know. I don't think anyone has ever tried it. >>>>>>>>> >>>>>>>>>> keep in mind my Kerberos Servers do not use LDAP as the backend. >>>>>>>>>> -- >>>>>>>>>> 389 users mailing list >>>>>>>>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> 389 users mailing list >>>>>>>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>>> >>>>>> -- >>>>>> 389 users mailing list >>>>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >>>>> >>>>> >>>>> -- >>>>> 389 users mailing list >>>>> 389-users@xxxxxxxxxxxxxxxxxxxxxxx >>>>> https://admin.fedoraproject.org/mailman/listinfo/389-users >> >> -- >> 389-devel mailing list >> 389-devel@xxxxxxxxxxxxxxxxxxxxxxx >> https://admin.fedoraproject.org/mailman/listinfo/389-devel > > > -- > 389-devel mailing list > 389-devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-devel -- 389-devel mailing list 389-devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-devel