koszewscy/openldap
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added GSSAPI Authentication.

Browse Source
This commit is contained in:
Sławek Koszewski
2026-05-14 22:47:45 +02:00
parent 8846c463c7
commit 28f8bebe04
6 changed files with 92 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+58
View File
@@ -210,3 +210,61 @@ ldapsearch -x -H ldap://localhost \
ldapwhoami -x -H ldap://localhost \
-D "cn=readonly,ou=service-accounts,dc=koszewscy,dc=waw,dc=pl" -W
```
## Kerberos SASL/GSSAPI
Gate with `KERBEROS_ENABLE=1`. When enabled, slapd is configured at first-run bootstrap with SASL GSSAPI and two authz-regexp rules that map Kerberos principals to LDAP DNs.
### Environment variables
| Variable | Default | Description |
|---|---|---|
| `KERBEROS_ENABLE` | `0` | Set to `1` to enable |
| `KRB5_REALM` | — | Kerberos realm (uppercase, e.g. `EXAMPLE.ORG`) |
| `KRB5_SASL_HOST` | — | Hostname matching the `ldap/<host>@REALM` service principal |
| `KRB5_KTNAME` | `/etc/ldap/ldap.keytab` | Path to the keytab inside the container |
### Principal-to-DN mapping
| Kerberos principal | LDAP DN |
|---|---|
| `*/admin@REALM` | `cn=admin,<base_dn>` |
| `username@REALM` | `uid=username,ou=users,<base_dn>` |
### Setup steps
1. In the Kerberos container, create the service principal and extract a keytab:
```bash
kadmin.local -q "addprinc -randkey ldap/ldap.example.org@REALM"
kadmin.local -q "ktadd -k /tmp/ldap.keytab ldap/ldap.example.org@REALM"
```
2. Copy the keytab to the OpenLDAP host:
```bash
container cp kerberos:/tmp/ldap.keytab ~/app-data/openldap/ldap.keytab
```
3. Mount it into the OpenLDAP container at `KRB5_KTNAME` (default `/etc/ldap/ldap.keytab`) and set the Kerberos env vars in `openldap.env`.
4. On first start, bootstrap applies the SASL configuration automatically. For an already-initialised instance apply it manually:
```bash
ldapmodify -Q -Y EXTERNAL -H ldapi:/// <<'EOF'
dn: cn=config
changetype: modify
replace: olcSaslHost
olcSaslHost: ldap.example.org
-
replace: olcSaslRealm
olcSaslRealm: EXAMPLE.ORG
-
replace: olcAuthzRegexp
olcAuthzRegexp: {0}uid=([^/]+)/admin,cn=example.org,cn=gssapi,cn=auth cn=admin,dc=example,dc=org
olcAuthzRegexp: {1}uid=([^,]+),cn=example.org,cn=gssapi,cn=auth uid=$1,ou=users,dc=example,dc=org
EOF
```
### Test authentication
```bash
kinit username@REALM
ldapwhoami -Y GSSAPI -H ldap://ldap.example.org
```
Expected: `dn:uid=username,ou=users,dc=example,dc=org`