需要的软件
openldap-2.4.13
BerkeleyDB-4.6.21
cyrus-sasl-2.1.26
krb5-1.11.1
BerkeleyDB-4.6.21
cyrus-sasl-2.1.26
krb5-1.11.1
OpenLDAP和BerkelyDB有版本相关性,上面列出的版本可以兼容。其余2个用最新版即可。
安装步骤
1. 安装BerkeleyDB
tar xvfz db-4.6.21.tar.gzcd db-4.6.21/build_unix/../dist/configure -prefix=/usr/local/BerkeleyDBmakemake install
2. 安装基本openldap
export CPPFLAGS="-I/usr/local/BerkeleyDB/include"export LDFLAGS="-L/usr/local/BerkeleyDB/lib"export LD_LIBRARY_PATH="/root/db-4.6.21/build_unix/.libs"cd openldap-2.4.13./configure --prefix=/root/openldapmake dependmakemake testmake install
3. 安装krb5
系统自带的krb5可能不支持gssapi,自己装一个比较保险。
./configure --prefix=/root/krb5make遇到yacc: Command not found,安装bison解决问题。make install
4. 安装cyrus-sasl
使用自己编的krb5,系统自带的可能不支持GSSAPI。所以把/root/krb5/lib加入LD_LIBRARY_PATH。export LD_LIBRARY_PATH="/root/wlu/db-4.6.21/build_unix/.libs:/root/krb5/lib“
由于默认会去/usr/lib/sasl2找plugin,而安装是指定了prefix,所以还需要指定一下plugindir。
./configure --prefix=/root/sasl2 --with-openssl=/root/openssl --with-ldap=/root/openldap --with-gss_impl=mit --enable-gssapi=yes --with-plugindir=/root/sasl2/lib/sasl2
用 pluginviewer | grep -i gssapi 检查gssapi是还被正确安装。(pluginviewer 是cyrus-sasl安装好后,生成的一个可执行文件)
5. 安装带sasl支持的openldap
把CPPFLAGS和LDFLAGS分别改成:export CPPFLAGS="-I/usr/local/BerkeleyDB/include -I/root/sasl2/include -I/root/krb5/include -lgssapi_krb5 -lgssrpc"export LDFLAGS="-L/usr/local/BerkeleyDB/lib -L/root/sasl2/lib -L/root/krb5/lib"
然后configure:
./configure --prefix=/root/openldap --with-cyrus-sasl --with-gssapi
之后的步骤就跟前面装openldap一样了。
LDAPSEARCH
参考:http://www.spinics.net/lists/cyrus-sasl/msg01226.html先通过kinit获得TGT,然后再ldapsearch。
可以用 ldapsearch -x -LLL -s "base" -b "" supportedSASLMechanisms -h 10.155.60.241 看AD支持哪些SASL:
dn:supportedSASLMechanisms: GSSAPIsupportedSASLMechanisms: GSS-SPNEGOsupportedSASLMechanisms: EXTERNALsupportedSASLMechanisms: DIGEST-MD5
用 ldapsearch -Y GSS-SPNEGO -LLL -s "base" -b "" supportedSASLMechanisms -h 10.155.60.241 做测试。
kinit时遇到问题:
a) kinit: Cannot find KDC for requested realm while getting initial credentials
解决方法,修改/etc/krb5.conf:
[logging]default = FILE:/var/log/krb5libs.logkdc = FILE:/var/log/krb5kdc.logadmin_server = FILE:/var/log/kadmind.log[libdefaults]default_realm = DEV.CNdns_lookup_realm = true <-- false改成truedns_lookup_kdc = true <-- false改成trueticket_lifetime = 24hforwardable = yes[realms]DEV.CN = {kdc = 10.155.60.241:88 <-- 不用域名,用IPadmin_server = 10.155.60.241:749 <-- 不用域名,用IPdefault_domain = DEV.CN}[domain_realm].dev.cn = DEV.CNdev.cn = DEV.CN[appdefaults]pam = {debug = falseticket_lifetime = 36000renew_lifetime = 36000forwardable = truekrb4_convert = false}
b) kinit: KDC reply did not match expectations while getting initial credentials
解决办法:
把域名改成大写 - kinit xxx@DEV.CN
把域名改成大写 - kinit xxx@DEV.CN
ldapsearch时遇到的问题:
ldap_sasl_interactive_bind_s: Local error (-2)
抓包发现DNS反向查询失败。于是增加DNS反向查询的记录。
改完后,通过抓包发现bind成功,可是又遇到新的问题:
改完后,通过抓包发现bind成功,可是又遇到新的问题:
ldap_sasl_interactive_bind_s: More results to return (-15)
改用 ldapsearch -Y GSSAPI -LLL -s "base" -b "" supportedSASLMechanisms -h 10.155.60.241 后,问题解决。
事后分析:
cyrus-sasl+openldap根本不支持 GSS-SPNEGO 去search AD。
在2.1.26的cyrus-sasl的release note里有这样一句话:
- Added support for GSS-SPNEGO SASL mechanism (Unix only), which is also HTTP capable
不知道意思是不是GSS-SPNEGO只支持HTTP,不支持LDAP。
参考: