需要的软件
openldap-2.4.13
BerkeleyDB-4.6.21
cyrus-sasl-2.1.26
krb5-1.11.1
OpenLDAP和BerkelyDB有版本相关性,上面列出的版本可以兼容。其余2个用最新版即可。
安装步骤
1. 安装BerkeleyDB
tar xvfz db-4.6.21.tar.gz
cd db-4.6.21/build_unix/
../dist/configure -prefix=/usr/local/BerkeleyDB
make
make install
2. 安装基本openldap
export CPPFLAGS="-I/usr/local/BerkeleyDB/include"
export LDFLAGS="-L/usr/local/BerkeleyDB/lib"
export LD_LIBRARY_PATH="/root/db-4.6.21/build_unix/.libs"
cd openldap-2.4.13
./configure --prefix=/root/openldap
make depend
make
make test
make install
3. 安装krb5
系统自带的krb5可能不支持gssapi,自己装一个比较保险。
./configure --prefix=/root/krb5
make
遇到yacc: Command not found,安装bison解决问题。
make install
4. 安装cyrus-sasl
使用自己编的krb5,系统自带的可能不支持GSSAPI。所以把/root/krb5/lib加入LD_LIBRARY_PATH。
export LD_LIBRARY_PATH="/root/wlu/db-4.6.21/build_unix/.libs:/root/krb5/lib“
由于默认会去/usr/lib/sasl2找plugin,而安装是指定了prefix,所以还需要指定一下plugindir。
./configure --prefix=/root/sasl2 --with-openssl=/root/openssl --with-ldap=/root/openldap --with-gss_impl=mit --enable-gssapi=yes --with-plugindir=/root/sasl2/lib/sasl2
用 pluginviewer | grep -i gssapi 检查gssapi是还被正确安装。(pluginviewer 是cyrus-sasl安装好后,生成的一个可执行文件)
5. 安装带sasl支持的openldap
把CPPFLAGS和LDFLAGS分别改成:
export CPPFLAGS="-I/usr/local/BerkeleyDB/include -I/root/sasl2/include -I/root/krb5/include -lgssapi_krb5 -lgssrpc"
export LDFLAGS="-L/usr/local/BerkeleyDB/lib -L/root/sasl2/lib -L/root/krb5/lib"
然后configure:
./configure --prefix=/root/openldap --with-cyrus-sasl --with-gssapi
之后的步骤就跟前面装openldap一样了。
LDAPSEARCH
参考:http://www.spinics.net/lists/cyrus-sasl/msg01226.html
先通过kinit获得TGT,然后再ldapsearch。
可以用 ldapsearch -x -LLL -s "base" -b "" supportedSASLMechanisms -h 10.155.60.241 看AD支持哪些SASL:
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
用 ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b "" supportedSASLMechanisms -h 10.155.60.241 做测试。
kinit时遇到问题:
a) kinit: Cannot find KDC for requested realm while getting initial credentials
解决方法,修改/etc/krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = DEV.CN
dns_lookup_realm = true <-- false改成true
dns_lookup_kdc = true <-- false改成true
ticket_lifetime = 24h
forwardable = yes
[realms]
DEV.CN = {
kdc = 10.155.60.241:88 <-- 不用域名,用IP
admin_server = 10.155.60.241:749 <-- 不用域名,用IP
default_domain = DEV.CN
}
[domain_realm]
.dev.cn = DEV.CN
dev.cn = DEV.CN
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}
b) kinit: KDC reply did not match expectations while getting initial credentials
ldapsearch时遇到的问题:
ldap_sasl_interactive_bind_s: Local error (-2)
抓包发现DNS反向查询失败。于是增加DNS反向查询的记录。
改完后,通过抓包发现bind成功,可是又遇到新的问题:
ldap_sasl_interactive_bind_s: More results to return (-15)
改用 ldapsearch -Y GSSAPI -LLL -s "base" -b "" supportedSASLMechanisms -h 10.155.60.241 后,问题解决。
事后分析:
cyrus-sasl+openldap根本不支持 GSS-SPNEGO 去search AD。
在2.1.26的cyrus-sasl的release note里有这样一句话:
- Added support for GSS-SPNEGO SASL mechanism (Unix only), which is also HTTP capable
不知道意思是不是GSS-SPNEGO只支持HTTP,不支持LDAP。
参考:
http://juven.blog.51cto.com/749867/152969/
http://www.spinics.net/lists/cyrus-sasl/msg01226.html
http://fixunix.com/kerberos/59933-kadmin-cannot-contact-any-kdc-requested-realm-whileinitializing-kadmin-interface.html
http://www.linuxquestions.org/questions/linux-networking-3/kerberos-kinit-reply-did-not-match-expectations-445698/