TransWikia.com

Can't determine the principal used to LDAP syncrepl GSSAPI

Server Fault Asked by DG DM on December 7, 2021

I’ve configured two openldap fully functional in HA (syncrepl mode provider – slave).
After testing that simple bind syncrepl works flawlessly, I’m trying to deploy from scratch using only GSSAPI to avoid the use of plain text passwords.
I’ve configured the client (ldap.conf) to use GSSAPI and works great, so it should work too for syncrepl.
I’ve configured the provider and the consumer.

This is the configuration of the olcSyncrepl under the hdb database. Omitting the authcid and authzid does not change the final result:

    olcSyncrepl{0}: rid=001 
    provider="ldap://authsrv1.ex.ample.com" 
    bindmethod=sasl 
    saslmech=gssapi 
    searchbase="dc=ex,dc=ample,dc=com" 
    type=refreshAndPersist 
    retry="30 5 300 3" 
    interval=00:00:01:00 

If the configuration is modified to simple bind, it replicates flawlessly. The krb5.keytab has been added to the sysconfig openldap file.

I would be able to solve it if I could be able to know what principal is using to attempt the replication, but logs are not showing that information (LogLevel 255).

> slapd[2091]: GSSAPI Error: Unspecified GSS failure.  Minor code may
> provide more information (No Kerberos credentials available)
> 
> slapd[2091]: slap_client_connect: URI=ldap://authsrv1.ex.ample.com
> ldap_sasl_interactive_bind_s failed (-2)

ldapwhoami using GSSAPI works flawlessly after using kinit.

EDIT:
This is my config of /etc/sasl2/slapd.conf

mech_list: gssapi diges-md5 cram-md5 external
pwcheck_method: saslauthd
keytab: /etc/ldap.keytab

ldap.keytab contains the ldap/authsrv1.ex.ample.com and ldap/authsrv2.ex.ample.com principals keys and its owned by user ldap and group ldap. Also I created a syncrepl inetOrgPerson and added a {SASL} mechanism as password to check If I could use a dedicated account instead of ldap/authsrv…

If I perform a kinit from both of the servers:

kinit -k -t /etc/ldap.keytab syncrepl
kinit -k -t /etc/ldap.keytab ldap/authsrv1.ex.ample.com
kinit -k -t /etc/ldap.keytab ldap/authsrv2.ex.ample.com

The KDC gives me a ticket and then, I can perform a ldapsearch -Y GSSAPI or ldapwhoami -Y GSSAPI flawlessly.

Also the ldap.conf client is configured to use GSSAPI and works flawlessly too in all our clients.

BASE dc=ex,dc=ample,dc=com
URI ldap://authsrv1.ex.ample.com:389/,ldap://authsrv2.ex,ample.com:389/
TLS_CACERT /certs/EXAMPLE.pem
TLS_CACERTDIR /certs/
TLS_CERT /certs/authsrv1.ex.ample.com.pem
TLS_KEY /certs/authsrv1.ex.ample.com.key.pem
SUDOERS_BASE ou=SUDOers,dc=ex,dc=ample,dc=com
SASL_MECH GSSAPI
SASL_REALM EX.AMPLE.COM
GSSAPI_SIGN on
GSSAPI_ENCRYPT off
NETWORK_TIMEOUT 10
BIND_POLICY soft
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus
bind_timeout 2
nss_reconnect_tries 2
nss_reconnect_sleeptime 1
nss_reconnect_maxconntries 3

Our webserver allows the authentication using SASLAUTHD and works flawlessly too.
All we can’t configure is syncrepl via GSSAPI.

I’ve tried also specifying authcid and authzid and I’ve the following authregex in the provider cn=config:

olcAuthRegexp: {0}uid=(.*),cn=gssapi,cn=auth ldap://dc=ex,dc=ample,dc=com??sub?(&(uid=$1)(objectClass=inetOrgPerson)

About the ACL, I’ve tried to replicate with the same user (syncrepl) with simple authentication mechanism and it works great.

Any Ideas?

Thank you so much.

Best Regards.

2 Answers

$ cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
$
$
$ grep KRB5 /etc/sysconfig/slapd
KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab"
KRB5_CLIENT_KTNAME="FILE:/etc/openldap/ldap.keytab"
$ ls -l /etc/openldap/ldap.keytab
-rw-------. 1 ldap ldap 346 Jun 15  2015 /etc/openldap/ldap.keytab
$
$
$  ps aux | grep slapd | grep -v grep
ldap      1121  1.2  3.9 356408 39748 ?        Ssl  22:07   0:02 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// ldaps:///

Answered by 84104 on December 7, 2021

After a lot of days, weeks... trying to figure out what was going on...

The issue was in /etc/sysconfig/openldap. Changing:

OPENLDAP_USER="ldap"
OPENLDAP_GROUP="ldap"

To:

OPENLDAP_USER=""
OPENLDAP_GROUP=""

Solved the issue.

Answered by DG DM on December 7, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP