[Pdns-users] RV: Fatal Error: Trying to set unknown parameter 'ldap-authmethod'

Dario García Díaz-Miguel dgdiaz at gmv.com
Fri Feb 19 09:31:21 UTC 2021 

Hi again,
It seems that now the ldap-bindmethod is being correctly retrieved by the pdns service. I had to add to the /etc/openldap/ldap.conf the following parameter:

SASL_MECH GSSAPI

Once added, the service, although does not start yet, logs the following:

Creating backend connection for TCP
[LdapBackend] LDAP Servers = ldaps://server.example.com
Conn=1543 fd=38 ACCEPT from IP=10.1.1.15:33668 (IP=10.1.1.15:636)
Conn=1543 fd=38 TLS established tls_ssf=256 ssf=256
GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krb5cc_0) )
[LDAP GSSAPI] ldap_sasl_interactive_bind_s returned -2
[LDAP GSSAPI] No TGT found, trying to acquire a new one
[LDAP GSSAPI] krb5 error when getting the TGT: Address family not supported by protocol

If you have some ideas about this issue, a little bit of light would be really appreciated. I've checked everything and none of the addresses or hostnames points to a ipv6 address.

Thank you so much for all the help provided
Regards.













-----Mensaje original-----
De: Dario García Díaz-Miguel
Enviado el: viernes, 19 de febrero de 2021 8:10
Para: pdns-users at mailman.powerdns.com
CC: skmf_support <skmf_support at gmv.com>
Asunto: RE: Fatal Error: Trying to set unknown parameter 'ldap-authmethod'

Hi Mark,

Thank you so much for your reply, really, really appreciated.
I changed the property to ldap-bindmethod. Now there's no fatal error anymore and the service starts correctly, but it seems that is not correctly being used.

ldap-bindmethod=gssapi
ldap-krb5-keytab=/etc/pdns.keytab

[...]
TLS established tls_ssf=256 ssf=256
[...]
[LdapBackend] Ldap connection to server failed: Failed to bind to LDAP server: Unknown Authentication method.
Caught an exception instantiating a backend: Unable to connect to ldap server.
TCP Server is unable to launch backends - will try again when questions come in: Unable to connect to ldap server
[...]


GSSAPI is working correctly on my server:

# kinit -k -t /etc/pdns.keytab pdns/server.example.com

# ldapwhoami -Y GSSAPI -H ldaps://server.example.com

SASL/GSSAPI authentication started
SASL username:pdns/server.example.com
SASL SSF:56
SASL data security layer installed.
dn: uid=pdns/server.example.com,dc=example,dc=com



I've tried to read the code to find if gssapi is not the correct value to use but I could not find the code file with this excerpt. If you prefer, you can tell me where did you find it and I will look for it by myself.

All help with this would be so much appreciated since GSSAPI is required for us.
Thank you so much.
Kind Regards.

Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com







 > -----Original Message-----
> From: Pdns-users <pdns-users-bounces at mailman.powerdns.com> On Behalf Of
> Mark Nejedlo via Pdns-users
> Sent: Thursday, February 19, 2021 01:02 AM
> To: pdns-users at mailman.powerdns.com
> Subject: [Pdns-users] Fatal Error: Trying to set unknown parameter
> 'ldap-authmethod'
>
> If I'm reading the source correctly (questionable), it looks like it should be "ldap-bindmethod".

> Mark


-----Mensaje original-----
De: Dario García Díaz-Miguel
Enviado el: jueves, 18 de febrero de 2021 15:18
Para: pdns-users at mailman.powerdns.com
CC: skmf_support <skmf_support at gmv.com>
Asunto: Fatal Error: Trying to set unknown parameter 'ldap-authmethod'

Hi,

I've deployed today pdns for the first time and I found an issue I don't know how to solve, so I write over here to claim for some help.
When I configure the ldap backend as shown below:

launch=ldap
ldap-host=ldaps://example.example.com
ldap-binddn=cn=Administrator,dc=gcc1,dc=kmf,dc=com
ldap-secret=secret
ldap-basedn=ou=Hosts,dc=example,dc=com
ldap-method=strict

It works flawlessly.

But If I try to use gssapi according to the pdns documentation... launch=ldap ldap-host=ldaps://example.example.com
ldap-authmethod=gssapi
ldap-krb5-keytab=/etc/pdns.keytab
ldap-basedn=ou=Hosts,dc=example,dc=com
ldap-method=strict

I get the following error trying to start the service:

      Fatal Error: Trying to set unknown parameter 'ldap-authmethod'

According to the official Documentation:
"""ldap-authmethod
(default: "simple") : How to authenticate to the LDAP server. Actually only two methods are supported: "simple", which uses the classical DN / password, or "gssapi", which requires a Kerberos keytab. """

The keytab exists and has pdns permissions for pdns user.
The principal exists and is the only key stored on that keytab.



I've deployed the last SUSE 15 official repository version:

- pdns-4.3.1-bp152.2.5.1.x86_64.rpm
- pdns-backend-ldap-4.3.1-bp152.2.5.1.x86_64.rpm
- pdns-common-4.0-bp152.3.16.noarch.rpm


It seems that this property does not exists for this pdns version, but I think that gssapi support was added for the 4.1 version which is previous than this.
Some help would be really appreciated.

Thank you so much.
Kind Regards.



P Please consider the environment before printing this e-mail.


P Please consider the environment before printing this e-mail.

More information about the Pdns-users mailing list