The purpose is to be able to bind simple to the LDAP directory while having the userPassword stored in Kerberos
[libdefaults]
default_realm = <OU>.<DOMAIN>.<TLD>
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 1000000
# default_tkt_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
# default_tgs_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
# permitted_enctypes = des-cbc-md5 des-cbc-crc des3-cbc-sha1
[realms]
<OU>.<DOMAIN>.<TLD> = {
kdc = kdc.<ou>.<domain>.<tld>:88
admin_server = kdm.<ou>.<domain>.<tld>:749
default_domain = <ou>.<domain>.<tld>
}
[domain_realm]
.<ou>.<domain>.<tld> = <OU>.<DOMAIN>.<TLD>
<ou>.<domain>.<tld> = <OU>.<DOMAIN>.<TLD>
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
#%PAM-1.0
auth include password-auth
account include password-auth
make base
make init
make conf
uri ldap://ldap1.<ou>.<domain>.<tld> ldap://ldap2.<ou>.<domain>.<tld>
base dc=<ou>,dc=<domain>,dc=<tld>
URI ldaps://ldap1.<ou>.<domain>.<tld> ldaps://ldap2.<ou>.<domain>.<tld>
BASE dc=<ou>,dc=<domain>,dc=<tld>
TLS_CACERTDIR /etc/openldap/certs
TLS_REQCERT demand
SASL_MECH PLAIN
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
security ssf=1 update_ssf=112 simple_bind=64
# to get administration rights when authenticated with SASL/GSSAPI
authz-regexp "^uid=([^/,]*)/admin,cn=<ou>.<domain>.<tld>,cn=GSSAPI,cn=auth" "cn=admin,dc=<ou>,dc=<domain>,dc=<tld>"
# to get administration rights when authenticated with SASL/PLAIN
authz-regexp "^uid=([^/,]*),cn=plain,cn=auth" "uid=$1,ou=users,dc=<ou>,dc=<domain>,dc=<tld>"
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by dn.exact="cn=admin,dc=<ou>,dc=<domain>,dc=<tld>" manage
by * none
Using the {SASL} prefix in the userPassword attribute let us use simple-bind for compatibility purpose.
cf http://www.lichteblau.com/ldapvi/cyrus-sasl/sysadmin.html Realms will be passed to saslauthd as part of the saslauthd protocol, however the way each saslauthd module deals with the situation is different (for example, the LDAP plugin allows you to use the realm to query the server, while the rimap and PAM plugins ignore it entirely).
cf https://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html Traditionally, a principal is divided into three parts: the primary, the instance, and the realm. The format of a typical Kerberos V5 principal is primary/instance@REALM.
dn: uid=<uid>,ou=users,ou=<ou>,dc=<domain>,dc=<tld>
uid: <uid>
userPassword: {SASL}<primary>
# Directory in which to place saslauthd's listening socket, pid file, and so
# on. This directory must already exist.
SOCKETDIR=/run/saslauthd
# Mechanism to use when checking passwords. Run "saslauthd -v" to get a list
# of which mechanism your installation was compiled with the ablity to use.
MECH=pam
# Additional flags to pass to saslauthd on the command line. See saslauthd(8)
# for the list of accepted flags.
#FLAGS="-O /etc/saslauthd.conf"
mech_list: PLAIN
pwcheck_method: saslauthd
saslauthd_path: /run/saslauthd/mux
# systemctl enable saslauthd
# systemctl start saslauthd
# saslauthd -v
saslauthd 2.1.26
authentication mechanisms: getpwent kerberos5 pam rimap shadow ldap httpform
# ldapsearch -x -H ldapi:/// -b '' -LLL -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
# kinit <uid>@LABOS.<DOMAIN>.<TLD>
Password for <uid>@LABOS.<DOMAIN>.<TLD>:
# ldapvi -Z -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: <uid>@LABOS.<DOMAIN>.<TLD>
SASL SSF: 56
SASL data security layer installed.
162 entries read
No changes.
# ldapvi -Z -Y PLAIN -U <uid>
SASL/PLAIN authentication started
--- SASL login
Type M-h for help on key bindings.
authorization name:
authentication name: <uid>
password: **********
SASL username: <uid>
SASL SSF: 0
162 entries read
No changes.
# ldapvi -Z -D uid=<uid>,ou=users,ou=<ou>,dc=<domain>,dc=<tld>
--- Login
Type M-h for help on key bindings.
Filter or DN: uid=<uid>,ou=users,ou=<ou>,dc=<domain>,dc=<tld>
Password: **********
162 entries read
No changes.