SASL AuthN to LDAP
b.candler at pobox.com
Wed Oct 19 12:57:51 CEST 2016
On 18/10/2016 15:55, Brian Candler wrote:
> So the way I got it to work was to set the environment variable in
> /etc/default/freeradius [for Ubuntu, when running as a service], or
> directly when running from the command line:
> KRB5CCNAME=... freeradius -X
As an aside, I wonder if someone can answer this question. Can
freeradius itself fetch and refresh its own kerberos tickets using a
keytab? Or does this have to be done externally?
The way I have it working right now is to use an hourly crontab to fetch
===> /etc/cron.hourly/freeradius-krb5 <===
kinit -t /root/radiusd.keytab -k radius/radius1-1.int.example.com -c
chown freerad:freerad /var/tmp/radius.krb5
Then I start freeradius pointing to the ticket *cache* file:
# KRB5CCNAME=/var/tmp/radius.krb5 freeradius -X
And this works. However, the documentation for the ldap module says:
# At a minimum you probably want to set KRB5_CLIENT_KTNAME.
This implies that maybe I just have to refer to the keytab, and
freeradius/sasl will fetch its own tickets as required. But I've not
been able to get this to work:
# KRB5_CLIENT_KTNAME=/root/radiusd.keytab freeradius -X
rlm_ldap (ldap): Opening additional connection (0), 1 of 32 pending
rlm_ldap (ldap): Connecting to ldap://ldap-1.ipa.example.com:389
rlm_ldap (ldap): Starting SASL mech(s): GSSAPI
SASL/GSSAPI authentication started
rlm_ldap (ldap): Bind with (anonymous) to
ldap://ldap-1.ipa.example.com:389 failed: Local error
rlm_ldap (ldap): Opening connection failed (0)
rlm_ldap (ldap): Removing connection pool
/etc/freeradius/mods-enabled/ldap: Instantiation failed for module "ldap"
Same result with KRB5_KTNAME.
It seems that at very least I would need to specify (somewhere) which
principal name to use (i.e. the '-k' argument to kinit in my cronjob).
But I can't find an environment variable for this:
Nor any setting in the rlm_ldap config. I see that the sasl.c code can
use this->identity (and also this->password), but I imagine these are
for simple binds, and the config says *not* to use them for Kerberos:
# Administrator account for searching and possibly modifying.
# If using SASL + KRB5 these should be commented out.
# identity = 'cn=admin,dc=example,dc=org'
# password = mypass
So in summary, my questions are:
1. Is there a way to use just the keytab, rather than
2. Under what circumstances would you ever use KRB5_CLIENT_KTNAME as
recommended in the sample config?
Specifically, this works (using a ticket cache):
KRB5CCNAME=/var/tmp/radius.krb5 freeradius -X
But these doesn't, whether I point to ticket cache or the keytab:
KRB5_CLIENT_KTNAME=/var/tmp/radius.krb5 freeradius -X
KRB5_CLIENT_KTNAME=/root/radiusd.keytab freeradius -X
More information about the Freeradius-Users