# nss_ldap sasl gssapi authentication?



## mamalos (Mar 18, 2011)

Hey everybody,

I am trying to use nsswitch information from my openldap server which allows both simple-bind and SASL/GSSAPI authentication. My DIT in openldap works fine, as far as acls is concerned, my KDC works fine, I am able to kinit to any user I wish, and everything works just fine. My nss_ldap works as expected when I use my special account with simple-bind authentication, but when I try to use SASL/GSSAPI authentication instead, I cannot make things work (The truth is that I am not quite sure what the correct configuration would be, and googling it did not yield any obvious answers either...).

So here is what my /usr/local/etc/nss_ldap.conf looks like (as far as sasl is concerned. Everything else is omitted since it works with simple-bind authentication):


```
sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache
use_sasl on
sasl_authid nss_auth_client
krb5_ccname FILE:/etc/nss_auth_client.key
```

where nss_auth_client is my krb5 principal, and /etc/nss_auth_client.key contain's this principal's keytab. I've tried with the sasl_secprops option commented out with no luck either.

`$ ktutil -k /etc/nss_auth_client.key list`

```
/etc/nss_auth_client.key:

Vno  Type                     Principal
  1  des-cbc-md5              [email]nss_auth_client@EXAMPLE.COM[/email]
  1  des-cbc-md4              [email]nss_auth_client@EXAMPLE.COM[/email]
  1  des-cbc-crc              [email]nss_auth_client@EXAMPLE.COM[/email]
  1  aes256-cts-hmac-sha1-96  [email]nss_auth_client@EXAMPLE.COM[/email]
  1  des3-cbc-sha1            [email]nss_auth_client@EXAMPLE.COM[/email]
  1  arcfour-hmac-md5         [email]nss_auth_client@EXAMPLE.COM[/email]
```

`$ ls -lrta /etc/nss_auth_client.key`


```
-rw-r--r--  1 root  wheel  - 410 18 Mar 15:24 /etc/nss_auth_client.key
```

I am able to `$ kinit -t /etc/nss_auth_client.key nss_auth_client` without any issues and klist shows:


```
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: nss_auth_client@EXAMPLE.COM

  Issued           Expires          Principal
Mar 18 15:38:33  Mar 19 01:37:11  krbtgt/EXAMPLE.COM@EXAMPLE.COM
```

Anyone know how to accomplish SASL/GSSAPI authentication on nss_ldap? My versions are as follows:
`$ ls -lrta /var/db/pkg | egrep -i`

```
drwxr-xr-x   2 root  wheel  -  512 13 Dec 09:30 cyrus-sasl-2.1.23_1/
drwxr-xr-x   2 root  wheel  -  512 13 Dec 09:31 openldap-sasl-client-2.4.23/
drwxr-xr-x   2 root  wheel  -  512 13 Dec 09:31 nss_ldap-1.265_4/
```

I use the BASE installation's heimdal, and:

`$ uname -a`

```
FreeBSD lala 8.1-STABLE FreeBSD 8.1-STABLE #1: Mon Sep 20 13:33:27 EEST 2010     root@lala:/usr/obj/usr/src/sys/FILESRV  amd64
```

Thank you all for your time in advance,

mamalos


----------



## mamalos (Mar 19, 2011)

Guys, nobody?

SirDice? Dutchdaemon? Come on...somebody must have tried an analogous setup, no!? If not, does anybody know some other resource to address me to (apart from the man page, I mean)? Maybe put some specific logging mechanism in slapd that I am not aware of, or other logging facility?

The only thing I am able to notice is that the nss machine does not even try to connect to the kdc before attempting to connect to slapd. So, I guess the problem is related to the configuration directives associated with sasl/gssapi. As far as if it is built with gssapi and sasl, support:

`#  ldd /usr/local/lib/nss_ldap.so.1`

```
/usr/local/lib/nss_ldap.so.1:
        libldap-2.4.so.7 => /usr/local/lib/libldap-2.4.so.7 (0x800c00000)
        liblber-2.4.so.7 => /usr/local/lib/liblber-2.4.so.7 (0x800d41000)
        libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x800e4e000)
        libkrb5.so.10 => /usr/lib/libkrb5.so.10 (0x800f66000)
        libcom_err.so.5 => /usr/lib/libcom_err.so.5 (0x8010d5000)
        libgssapi_krb5.so.10 => /usr/lib/libgssapi_krb5.so.10 (0x8011d7000)
        libc.so.7 => /lib/libc.so.7 (0x800647000)
        libssl.so.6 => /usr/lib/libssl.so.6 (0x8012f1000)
        libcrypto.so.6 => /lib/libcrypto.so.6 (0x801444000)
        libgssapi.so.10 => /usr/lib/libgssapi.so.10 (0x8016e5000)
        libhx509.so.10 => /usr/lib/libhx509.so.10 (0x8017ef000)
        libroken.so.10 => /usr/lib/libroken.so.10 (0x80192f000)
        libasn1.so.10 => /usr/lib/libasn1.so.10 (0x801a41000)
        libcrypt.so.5 => /lib/libcrypt.so.5 (0x801bc3000)
```

Which seems fine to me...

I don't know guys...if anyone has an idea feel free.

Thank you all again for your time and effort.

mamalos


----------



## gordon@ (Mar 20, 2011)

I really wouldn't recommend using a SASL bind for nss without nscd running, it will noticeably slow down your system.

I think your problem is you are attempting to use the keytab as a ccache, which doesn't work. Try this:
`# kinit -t /etc/nss_auth_client.key -c /etc/.ldapcache nss_auth_client`

Then set the krb5_ccname to FILE:/etc/.ldapcache

I don't have direct experience with this, but I do have a (better than most) idea how krb5 is supposed to work.


----------



## mamalos (Mar 20, 2011)

Thank you gordon, it worked!

Now, I have three questions regarding your answer:

1) Does the ccache have to be "renewed" in any way? Isn't it associated with "Max ticket life"? Because if so, I don't know how to renew it automatically. (except if I change the principal's max ticket life value to something very big, which would really degrade the service security-wise)

2) One of my server uses ldap/nss runs samba using ldap backend (the same ldap with above), plus, it runs winbind. If I run nscd on this server won't I have problems as stated in http://samba.org/samba/docs/man/Samba-Guide/happy.html#id2573097?

3) If nscd is not running, is the performance difference so obvious when we compare simple bind to sasl bind? I thought that simple bind would be "equally" slow with sasl bind.

Thank you very much for your help again,

mamalos


----------



## gordon@ (Mar 20, 2011)

mamalos said:
			
		

> 1) Does the ccache have to be "renewed" in any way? Isn't it associated with "Max ticket life"? Because if so, I don't know how to renew it automatically. (except if I change the principal's max ticket life value to something very big, which would really degrade the service security-wise)



Most everything I've seen online suggests that you issue the kinit command periodically out of cron.
See https://www-s.acm.uiuc.edu/wiki/space/Setting+up+Kerberized+LDAP+NSS+on+Fedora+Core+6. While it's for Fedora, the last parts of it are just the krb5 bits that you are looking for.



			
				mamalos said:
			
		

> 2) One of my server uses ldap/nss runs samba using ldap backend (the same ldap with above), plus, it runs winbind. If I run nscd on this server won't I have problems as stated in http://samba.org/samba/docs/man/Samba-Guide/happy.html#id2573097?



Not sure. Since winbind does caching on its own, it might not be bad. Experimentation might be required.



			
				mamalos said:
			
		

> 3) If nscd is not running, is the performance difference so obvious when we compare simple bind to sasl bind? I thought that simple bind would be "equally" slow with sasl bind.



Read up on the nss_ldap(5) option for nss_connect_policy and idle_timelimit. You may want to play around with them to see what you think of the tradeoffs for persisting connections versus having lots of idle connections. Bear in mind that the connection is going to be per process and not pooled on the machine. So if you have 1000 processes all doing name service calls to ldap, that's 1000 connections to the ldap server. Using nscd(8) with the perform-actual-lookups option might mitigate that. Again, it all depends on your server workload.

I don't know what the overhead difference for a GSSAPI connection versus a SASL connection might be. You would have to profile it to figure it out.

Good luck!


----------



## mamalos (Mar 20, 2011)

gordon,

thanks man, you couldn't have been more helpful and precise. Well done!


----------

