Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use GSSAPI for directory authentication #630

Open
phasenohr opened this issue May 6, 2024 · 8 comments · May be fixed by #645
Open

Use GSSAPI for directory authentication #630

phasenohr opened this issue May 6, 2024 · 8 comments · May be fixed by #645
Assignees
Labels

Comments

@phasenohr
Copy link

Hello,

I am trying to have ldap2pg authenticate against my LDAP directory through GSSAPI (in order to use Kerberos ultimately). According to https://ldap2pg.readthedocs.io/en/latest/ldap/ it seems that I should be able to specify SASL_MECH but I do not find how to do it.

Here is the anonymised ldaprc file I am trying to use (it works fine if I do a ldapwhoami):

URI ldaps://krbldap-001.xxxx.yyy.zz
SASL_MECH GSSAPI
SASL_REALM XXXX.YYY.ZZ
SASL_AUTHCID name_of_the_kerberos_principal_used_to_authenticate_against_ldap

This leads to the following error when running ldap2pg:

14:25:33 INFO   Starting ldap2pg                                 version=v6.0 runtime=go1.20.5 commit=023e6933
14:25:33 INFO   Using YAML configuration file.                   path=./ldap2pg.yml
14:25:33 INFO   Running as superuser.                            user=postgres super=true server="PostgreSQL 14.11" cluster=14/main database=postgres
14:25:34 ERROR  Fatal error.                                     err="unhandled SASL_MECH"

If I use BINDDN and PASSWORD in my ldaprc file instead of the SASL_* variables, ldap2pg works fine.

Am I doing something wrong or can it be that support for GSSAPI has not been implemented in version 6?

Thank you for your support.

Best regards,
Paul

@bersace
Copy link
Member

bersace commented May 6, 2024

Yes, GSSAPI is missing from ldap2pg 6.0. go-ldap just released with GSSAPI support.

However, I don't know how to reproduce kerberose auth in development environment and CI. Any help accepted !

@bersace bersace self-assigned this May 6, 2024
@bersace bersace added the feature label May 6, 2024
@bersace
Copy link
Member

bersace commented May 7, 2024

Do you want ldap2pg to ask you the Kerberos password ? Do you use kinit or something like that ?

@phasenohr
Copy link
Author

Thank you for your very quick feedback!
I am using keytabs for functional users such as the one used to execute ldap2pg.

It seems that authentication based on a keytab is supported by go-ldap: https://github.com/go-ldap/ldap/blob/56e5759aadc48129a33935b9de05b17151c1172e/gssapi/client.go#L31 If it can be used, this would be perffect in my case.

I will gladly help with the testing. Regarding the setup of kerberos in the development environment, I am not sure what would be needed. Not sure if I could help there but if I can, I would do.
Thank you.

@bersace
Copy link
Member

bersace commented May 7, 2024

samba support for KDC is very experimental. Thus, implementing this is completely wild.

How do you configure ldapsearch to authenticate to AD using GSSAPI/Kerberos ?

@phasenohr
Copy link
Author

I am using MIT Kerberos (no AD, no Samba involved). The set-up I have for such an environment is the following on Debian 12:

  • apt-get install krb5-user cat /etclibsasl2-modules-gssapi-mit
  • Assuming that the user authorised to connect to the LDAP is called proxyuser, retrieve the keytab for that user from the Kerberos admin server and place them in a file, e.g. /etc/certificates/proxyuser.keytab
  • Configure /etc/krb5.conf (the names of the Kerberos KDC servers are retrieved via DNS in that case)
 [libdefaults]
   default_realm = XXXX.YYY.ZZ
   # The following krb5.conf variables are only for MIT Kerberos.
   krb4_config = /etc/krb.conf
   krb4_realms = /etc/krb.realms
   kdc_timesync = 1
   ccache_type = 4
   forwardable = true
   proxiable = true
   default_ccache_name = FILE:/tmp/krb5cc_%{uid}
   renew_lifetime = 5d
   dns_canonicalize_hostname = false

[domain_realm]
  .xxxx.yyy.zz = XXXX.YYY.ZZ

[logging]
   kdc = SYSLOG:INFO:DAEMON
  • Retrieve a Kerberos ticket by authenticating with the keytab previously placed on the machine: kinit -kt /etc/certificates/proxyuser.keytab proxyuser where proxyuser is the name of the user allowed to query the ldap server and list its content
  • Issue the LDAP search: ldapsearch -Y GSSAPI -U proxyuser -H ldaps://krbldap-001.xxxx.yyy.zz -b "ou=aaaa, dc=xxxx,dc=yyy,dc=zz"

If the ldaprc file put in my first post is placed in the same folder from which the ldapsearch command is issued, then the following command would be enough: ldapsearch -Y GSSAPI -H ldaps://krbldap-001.xxxx.yyy.zz -b "ou=aaaa, dc=xxxx,dc=yyy,dc=zz"

If I understand correctly what the library you referred to is doing, the kinit part would not be needed as it would be handled by the library automatically from those variables: username, realm, keytabPath, krb5confPath

@bersace
Copy link
Member

bersace commented May 10, 2024

Hi @phasenohr . Thanks for the details. Trying to authenticate ldapsearch against Samba with GSSAPI with Kerberos:

$ kinit -V -kt $PWD/administrator.keytab  administrator
Using default cache: /tmp/krb5cc_1000
Using principal: [email protected]
Using keytab: /home/bersace/src/dalibo/ldap2pg/administrator.keytab
Authenticated to Kerberos v5

$ ldapsearch -U [email protected] -H ldaps://samba1.ldap2pg.docker -l 5 -Y GSSAPI -b cn=users,dc=bridoulou,dc=fr -s sub '(|(cn=owners)(cn=readers)(cn=writers))' member cn
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind: Local error (-2)
        additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Server not found in Kerberos database)

I guess Samba AD needs to have itself declared as a server in one database. I don't know how or what. I have rdns = false and DNS resolution for my docker container.

@phasenohr
Copy link
Author

Hi @bersace

It probably means that the LDAP server is missing a keytab authorising it to authenticate through Kerberos.
With MIT Kerberos, you would need to create a keytab for the SPN ldap/fqdn@REALM so in your example, this would be probably ldap/[email protected] but I do not know how you would configure that in Samba AD.

Also, you might need to update the [domain_realm] section on your client to match .ldap2pg.docker domain with BRIDOULOU.FR realm

@bersace bersace linked a pull request May 16, 2024 that will close this issue
@bersace bersace changed the title How to use GSSAPI for LDAP authentication in ldap2pg version 6? Use GSSAPI for LDAP authentication May 16, 2024
@bersace bersace changed the title Use GSSAPI for LDAP authentication Use GSSAPI for directory authentication May 16, 2024
@bersace
Copy link
Member

bersace commented May 16, 2024

cf. #268 for reference.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants