[debian-lan-devel] Problems with SASL encryption
Andreas B. Mundt
andi.mundt at web.de
Mon Jan 14 13:12:34 UTC 2013
Hi all,
when implementing GOsa for the Debian-LAN setup [1], I ran into the
following problems/bugs. (Packages from Debian Wheezy):
The idea is to use SASL to authenticate users in a setup with kerberos.
To implement that, I use passwordDefaultHash="sasl" in gosa.conf
(attached).
However, when I add a user in GOsa, I end up with:
-------8<-------
uid=ante,ou=people,ou=gosa,dc=intern
sn: Another
givenName: Test
uid: ante
cn: Test Another
userPassword: {SASL}@INTERN
-------8<-------
^^^^^^
The uid is missing.
If I log into GOsa as admin and modify the Password storage in the
"Generic"-Tab to ssha (press apply) and back to sasl, I end up with
what I would have expected from the beginning:
userPassword: {SASL}ante at INTERN
Further more, there is no way to enter a password. This has been
discussed earlier on this list IIRC, and is due to the fact that I do
not use gosa-si. However, it would be great to allow entering
passwords, as a hook can send the password to the Kerberos KDC. If I
use ssha I have to use the hook to synchronize KDC and LDAP passwords
and I have the passwords in two places which might get out of sync if
a user modifies the kerberos password using kpasswd.
To sum up:
Is it possible to work around the missing gosa-si and enable entering
passwords which will be handled in a hook?
Any ideas why the uid is missing in 'userPassword: {SASL}@INTERN' when
initially creating the user? Is this a bug that can be fixed or some
misunderstanding on my side?
Any help is appreciated.
Best regards,
Andi
[1] <URL:http://wiki.debian.org/DebianLAN>
-------------- next part --------------
<?xml version="1.0"?>
<conf configVersion="edb33ed1745798da76048582c2f16a48"
instancePassword=""
instanceUUID="cf086ce3-4b0a-45b5-b813-dc64eb51f1eb">
<!-- GOsa menu definition **************************************************
This tag defines the side and icon menu inside the
interface. Defining an entry here is no guarantie to get it shown,
though. Only entries with matching ACL's get shown.
There are two types of entries inside of the menu: section and plugin
Defining a section:
Open a <section> tag including a "name" attribute. This will show up in
the menu as a new section later on. Own entries are not handled via I18N
by default. Close the </section> tag after your plugin definitions.
Defining a plugin:
Open a <plugin> tag including a "class" attribute. The "class" should be
present inside your GOsa setup - the entry will be ignored if it is not.
Plugins should have an "acl" entry, that allows GOsa to decide wether
a user is allowed to see a plugin or not. The "acl" string matches with
an ACL definition done inside of GOsa -> ACLs.
You can override an icon by specifying the "icon" attribute.
For more information about possible configuration parameters, please take
a look at the gosa.conf(5) manual page.
-->
<menu>
<!-- Section to enable administrative services -->
<section name="Administration">
<plugin acl="department" class="departmentManagement" />
<!-- This long ACL list is required to exclude the users menu entry when only
'viewFaxEntries' permissions are set -->
<plugin acl="users/netatalk,users/environment,users/posixAccount,users/kolabAccount,users/phpscheduleitAccount,users/oxchangeAccount,users/proxyAccount,users/connectivity,users/pureftpdAccount,users/phpgwAccount,users/opengwAccount,users/pptpAccount,users/intranetAccount,users/webdavAccount,users/nagiosAccount,users/sambaAccount,users/groupware,users/mailAccount,users/user,users/scalixAccount,users/password,users/gofaxAccount,users/phoneAccount,users/Groupware"
class="userManagement" />
<plugin acl="groups" class="groupManagement" />
<plugin acl="roles" class="roleManagement"/>
<plugin acl="acl" class="aclManagement" />
<plugin acl="ogroups" class="ogroupManagement" />
<plugin acl="sudo" class="sudoManagement" />
<plugin acl="application" class="applicationManagement" />
<plugin acl="mimetypes" class="mimetypeManagement" />
<plugin acl="devices" class="deviceManagement" />
<plugin acl="terminal/termgeneric,workstation/workgeneric,server/servgeneric,phone/phoneGeneric,printer/printgeneric,component/componentGeneric,winworkstation/wingeneric,opsi/opsiGeneric" class="systemManagement" />
<!-- Use 'lockDn' for dn
'lockName' for name
'lockType' for branch/freeze -->
<plugin acl="fai/faiScript,fai/faiHook,fai/faiTemplate,fai/faiVariable,fai/faiPartitionTable,fai/faiPackage,fai/faiProfile,fai/faiManagement,opsi/opsiProperties" class="faiManagement" />
<plugin acl="opsi" class="opsiLicenses"/>
<plugin acl="gofaxlist" class="blocklist" />
<plugin acl="gofonmacro" class="goFonMacro" />
<plugin acl="gofonconference" class="phoneConferenceManagment" />
</section>
<!-- Section to enable addon plugins -->
<section name="Addons">
<plugin acl="all/all" class="propertyEditor" />
<plugin acl="server/rSyslogServer" class="rsyslog" />
<!-- <plugin acl="mailqueue" class="mailqueue" />-->
<plugin acl="users/viewFaxEntries:self,users/viewFaxEntries" class="faxreport" />
<plugin acl="users/viewFonEntries:self,users/viewFonEntries" class="fonreport" />
<plugin acl="gotomasses" class="gotomasses" />
<plugin acl="ldapmanager" class="ldif" />
</section>
</menu>
<!-- These entries will be rendered on the short-cut menu -->
<shortCutMenu>
<plugin acl="none" class="welcome" />
</shortCutMenu>
<!-- These entries will be rendered on the path navigator -->
<pathMenu>
<plugin acl="users/netatalk:self,users/environment:self,users/posixAccount:self,users/kolabAccount:self,users/phpscheduleitAccount:self,users/oxchangeAccount:self,users/proxyAccount:self,users/connectivity:self,users/pureftpdAccount:self,users/phpgwAccount:self,users/opengwAccount:self,users/pptpAccount:self,users/intranetAccount:self, users/webdavAccount:self,users/nagiosAccount:self,users/sambaAccount:self,users/mailAccount:self,users/groupware, users/user:self,users/scalixAccount:self,users/gofaxAccount:self,users/phoneAccount:self,users/Groupware:self" class="MyAccount" />
<plugin acl="users/password:self" class="password"
postmodify="USERPASSWORD=%userPassword /usr/bin/sudo /usr/local/sbin/gosa-sync %dn"
/>
</pathMenu>
<!-- Tab definitions *******************************************************
Tab definitions define the sub plugins which get included for certain
tabbed dialogs. If you change something here, never (!) remove the
primary (the first) "tab" tag which is defined. Most tabbed dialogs
need a primary plugin.
"*tab" should be looked for by a defined plugin. This one will take
every "tab" defined "class" and will show it inside of a tabbed dialog
with the header defined in "name".
-->
<!-- ACL dialog -->
<acltab>
<tab class="acl" name="ACL" />
</acltab>
<aclroletab>
<tab class="aclrole" name="ACL Role" />
</aclroletab>
<!-- User dialog -->
<usertabs>
<tab class="user" name="Generic" />
<tab class="posixAccount" name="POSIX" />
<tab class="sambaAccount" name="Samba" />
<tab class="netatalk" name="Netatalk" />
<tab class="mailAccount" name="Mail" />
<!-- <tab class="Groupware" name="Groupware" />-->
<tab class="scalixAccount" name="Scalix" />
<tab class="environment" name="Desktop" />
<tab class="connectivity" name="Connectivity" />
<tab class="gofaxAccount" name="Fax" />
<tab class="phoneAccount" name="Phone" />
<tab class="nagiosAccount" name="Nagios" />
</usertabs>
<!-- User dialog -->
<MyAccountTabs>
<tab class="user" name="Generic" />
<tab class="posixAccount" name="POSIX"
postcreate="/usr/bin/sudo /usr/local/sbin/gosa-create %uid"
postremove="/usr/bin/sudo /usr/local/sbin/gosa-remove %uid %homeDirectory"
/>
<tab class="sambaAccount" name="Samba" />
<tab class="netatalk" name="Netatalk" />
<tab class="mailAccount" name="Mail" />
<!-- <tab class="Groupware" name="Groupware" />-->
<tab class="scalixAccount" name="Scalix" />
<tab class="environment" name="Desktop" />
<tab class="connectivity" name="Connectivity" />
<tab class="gofaxAccount" name="Fax" />
<tab class="phoneAccount" name="Phone" />
<tab class="nagiosAccount" name="Nagios" />
</MyAccountTabs>
<opsiLicenseTabs>
<tab class="licensePoolGeneric" name="Generic"/>
<tab class="licenseUsage" name="Usage"/>
</opsiLicenseTabs>
<!-- Group dialog -->
<grouptabs>
<tab class="group" name="Generic" />
<tab class="DynamicLdapGroup" name="Dynamic object" />
<tab class="environment" name="Desktop" />
<tab class="appgroup" name="Startmenu" />
<tab class="mailgroup" name="Mail" />
<!-- <tab class="GroupwareSharedFolder" name="Groupware" />-->
</grouptabs>
<!-- Sudo dialog -->
<sudotabs>
<tab class="sudo" name="Generic" />
<tab class="sudoOption" name="Options" />
</sudotabs>
<!-- GOfax plugins -->
<faxblocktabs>
<tab class="blocklistGeneric" name="Generic" />
</faxblocktabs>
<!-- GOfon plugins -->
<conferencetabs>
<tab class="conference" name="Generic" />
</conferencetabs>
<macrotabs>
<tab class="macro" name="Generic" />
<tab class="macroParameter" name="Parameter" />
</macrotabs>
<phonetabs>
<tab class="phoneGeneric" name="Generic" />
</phonetabs>
<!-- GOto plugins -->
<appstabs>
<tab class="application" name="Generic" />
<tab class="applicationParameters" name="Parameter" />
</appstabs>
<mimetabs>
<tab class="mimetype" name="Generic" />
</mimetabs>
<devicetabs>
<tab class="deviceGeneric" name="Generic" />
</devicetabs>
<arpnewdevicetabs>
<tab class="ArpNewDevice" name="Generic" />
</arpnewdevicetabs>
<termtabs>
<tab class="termgeneric" name="Generic" />
<tab class="termstartup" name="Recipe" />
<tab class="termservice" name="Devices" />
<tab class="terminfo" name="Information" />
</termtabs>
<servtabs>
<tab class="servgeneric" name="Generic" />
<tab class="workstartup" name="Recipe" />
<tab class="ServerService" name="Services" />
<tab class="faiSummaryTab" name="Deployment summary" />
<tab class="gotoLogView" name="Installation logs" />
<tab class="terminfo" name="Information" />
</servtabs>
<worktabs>
<tab class="workgeneric" name="Generic" />
<tab class="workstartup" name="Recipe" />
<tab class="workservice" name="Devices" />
<tab class="printgeneric" name="Printer" />
<tab class="terminfo" name="Information" />
<tab class="faiSummaryTab" name="Deployment summary" />
<tab class="gotoLogView" name="Installation logs" />
</worktabs>
<printtabs>
<tab class="printgeneric" name="Generic" />
</printtabs>
<componenttabs>
<tab class="componentGeneric" name="Generic" />
</componenttabs>
<wintabs>
<tab class="wingeneric" name="Generic" />
</wintabs>
<serverservice>
<tab class="goMailServer" />
<tab class="servkolab" />
<tab class="goNtpServer" />
<tab class="servrepository" />
<tab class="goImapServer" />
<tab class="goKrbServer" />
<tab class="goFaxServer" />
<tab class="goFonServer" />
<tab class="goCupsServer" />
<tab class="goKioskService" />
<tab class="goTerminalServer" />
<tab class="goLdapServer" />
<tab class="goShareServer" />
<tab class="gospamserver" />
<tab class="govirusserver" />
<tab class="servdhcp" />
<tab class="servdns" />
<tab class="rSyslogServer" />
</serverservice>
<!-- Department plugin -->
<deptabs>
<tab class="department" name="Generic" />
<tab class="DynamicLdapGroup" name="Dynamic object" />
</deptabs>
<organization_tabs>
<tab class="organization" name="Generic" />
<tab class="DynamicLdapGroup" name="Dynamic object" />
</organization_tabs>
<locality_tabs>
<tab class="locality" name="Generic" />
<tab class="DynamicLdapGroup" name="Dynamic object" />
</locality_tabs>
<country_tabs>
<tab class="country" name="Generic" />
<tab class="DynamicLdapGroup" name="Dynamic object" />
</country_tabs>
<dcobject_tabs>
<tab class="dcObject" name="Generic" />
<tab class="DynamicLdapGroup" name="Dynamic object" />
</dcobject_tabs>
<domain_tabs>
<tab class="domain" name="Generic" />
<tab class="DynamicLdapGroup" name="Dynamic object" />
</domain_tabs>
<!-- Role tabs -->
<roletabs>
<tab class="roleGeneric" name="Generic"/>
<tab class="DynamicLdapGroup" name="Dynamic object" />
</roletabs>
<ogrouptabs>
<tab class="ogroup" name="Generic" />
<tab class="DynamicLdapGroup" name="Dynamic object" />
</ogrouptabs>
<!-- Connectivity plugins -->
<connectivity>
<tab class='kolabAccount' />
<tab class="proxyAccount" />
<tab class="pureftpdAccount" />
<tab class="webdavAccount" />
<tab class="phpgwAccount" />
<tab class="intranetAccount" />
<tab class="pptpAccount" />
<tab class="phpscheduleitAccount" />
<tab class="oxchangeAccount" />
<tab class="opengwAccount" />
</connectivity>
<ldiftab>
<tab class="ldifexport" name="Export" />
<tab class="xlsexport" name="Excel Export" />
</ldiftab>
<faipartitiontabs>
<tab class="faiPartitionTable" name="Partitions" />
</faipartitiontabs>
<faiscripttabs>
<tab class="faiScript" name="Scripts" />
</faiscripttabs>
<faihooktabs>
<tab class="faiHook" name="Hooks" />
</faihooktabs>
<faivariabletabs>
<tab class="faiVariable" name="Variables" />
</faivariabletabs>
<faitemplatetabs>
<tab class="faiTemplate" name="Templates" />
</faitemplatetabs>
<faiprofiletabs>
<tab class="faiProfile" name="Profiles" />
<tab class="faiSummaryTab" name="Summary" />
</faiprofiletabs>
<faipackagetabs>
<tab class="faiPackage" name="Packages" />
</faipackagetabs>
<opsitabs>
<tab class="opsiGeneric" name="Generic" />
<tab class="opsiSoftware" name="Hardware" />
<tab class="opsiHardware" name="Software" />
<tab class="licenseUsageByHost" name="License usage"/>
</opsitabs>
<opsiprodconfig>
<tab class="opsiProperties" name="Properties" />
<tab class="licenseByProduct" name="License usage"/>
</opsiprodconfig>
<!-- rSyslog plugin -->
<rsyslogtabs>
<tab class="rsyslog" name="System logs" />
</rsyslogtabs>
<!-- Main section **********************************************************
The main section defines global settings, which might be overridden by
each location definition inside.
For more information about the configuration parameters, take a look at
the gosa.conf(5) manual page.
-->
<!-- If you broke your setup using the propertyEditor, then set 'ignoreLdapProperties' to true. -->
<main default="default"
SASLRealm="INTERN"
passwordDefaultHash="sasl"
accountPrimaryAttribute="uid"
userRDN="ou=people"
groupRDN="ou=groups"
warnSSL="true"
forceSSL="false"
forceGlobals="true"
ignoreLdapProperties="false"
rfc2307bis="false"
useSaslForKerberos="false"
gidNumberBase="10000"
uidNumberBase="10000"
idGenerator="{%sn[1-6]}{%givenName[1-6]}"
>
<!-- Location definition -->
<location name="default"
ldapTLS="true"
config="ou=gosa,ou=configs,ou=systems,ou=gosa,dc=intern">
<referral URI="ldap://ldap:389/ou=gosa,dc=intern"
adminDn="cn=admin,ou=gosa,dc=intern"
adminPassword="@LDAP_ADMIN_PW@" />
</location>
</main>
</conf>
More information about the debian-lan-devel
mailing list