Added GSSAPI Authentication.

bootstrap/init.py

@@ -17,6 +17,9 @@ SLAPD_D = Path("/etc/ldap/slapd.d")
 base_dn = os.environ.get("LDAP_BASE_DN") or "dc=example,dc=org"
 password = os.environ.get("LDAP_PASSWORD") or "changeit"
 tls_enabled = os.environ.get("TLS_ENABLED") == "1"
+kerberos_enabled = os.environ.get("KERBEROS_ENABLE") == "1"
+krb5_realm = os.environ.get("KRB5_REALM", "")
+krb5_sasl_host = os.environ.get("KRB5_SASL_HOST", "")
 admin_dn = f"cn=admin,{base_dn}"
 
 
@@ -116,6 +119,9 @@ def main():
     apply_ldif(LDIF_DIR / "config-acl.ldif", env, base_dn=base_dn, admin_dn=admin_dn)
     if tls_enabled:
         apply_ldif(LDIF_DIR / "config-tls.ldif", env)
+    if kerberos_enabled:
+        apply_ldif(LDIF_DIR / "config-sasl.ldif", env,
+                   base_dn=base_dn, krb5_realm=krb5_realm, sasl_host=krb5_sasl_host)
 
     print("cn=config updated.")
 

bootstrap/ldif/config-sasl.ldif

@@ -0,0 +1,11 @@
+dn: cn=config
+changetype: modify
+replace: olcSaslHost
+olcSaslHost: {{ sasl_host }}
+-
+replace: olcSaslRealm
+olcSaslRealm: {{ krb5_realm }}
+-
+replace: olcAuthzRegexp
+olcAuthzRegexp: {0}uid=([^/]+)/admin,cn={{ krb5_realm | lower }},cn=gssapi,cn=auth cn=admin,{{ base_dn }}
+olcAuthzRegexp: {1}uid=([^,]+),cn={{ krb5_realm | lower }},cn=gssapi,cn=auth uid=$1,ou=users,{{ base_dn }}