This text reports what I've done to use Kerberos as password backend for my OpenLDAP installation. It was tried on a Debian Stretch 9.

Kerberos

Install

apt install krb5-kdc krb5-admin-server

apt will ask you the name of your default kerberos realm.

I've decided to use example.org (in lowercase), because, even if it's not the usual case as explained by apt, I know I'll forgot to use the uppercase notation. Furthermore, I have a specific domain which is only used by LDAP and Kerberos, so I think I'll have no confusion.

Configure Kerberos

I've just followed my Kerberos Installation resource (linked at the end of the article). So I notice here just what I've done, I can't fully explain every steps.

First, we need to configure the Kerberos server by modifying /etc/krb5.conf to add our realm:

        [libdefaults]
                default_realm = example.org
                ...
        [realms]
                example.org = {
                        kdc = kdc.example.org
                        admin_server = kdc.example.org
                        default_domain = example.org
                }
                ...
        [domain_realm]
                .example.com = example.org
                example.com = example.org
                ...

To define the kdc and admin_server, you can also simply use the localhost domain. If you do as me, you'll need to create DNS resources for kdc.example.org.

Then, you need to check the realm has been well installed in /etc/krb5conf/kdc.conf. For me, apt has put:

[kdcdefaults]
    kdc_ports = 750,88

[realms]
    example.org = {
        database_name = /var/lib/krb5kdc/principal
        admin_keytab = FILE:/etc/krb5kdc/kadm5.keytab
        acl_file = /etc/krb5kdc/kadm5.acl
        key_stash_file = /etc/krb5kdc/stash
        kdc_ports = 750,88
        max_life = 10h 0m 0s
        max_renewable_life = 7d 0h 0m 0s
        master_key_type = des3-hmac-sha1
        #supported_enctypes = aes256-cts:normal aes128-cts:normal
        default_principal_flags = +preauth
    }

Now, the kerberos is well configured, we can create the realm:

kdb5_util create -s

Then, we use the kadmin.local shell to list principals and create first users:

kadmin.local:  listprincs
K/M@example.org
kadmin/admin@example.org
kadmin/changepw@example.org
kadmin/localhost@example.org
kiprop/localhost@example.org
krbtgt/example.org@example.org

kadmin.local:  ank adrien/admin@example.org
WARNING: no policy specified for adrien/admin@example.org; defaulting to no policy
Enter password for principal "adrien/admin@example.org": 
Re-enter password for principal "adrien/admin@example.org": 
Principal "adrien/admin@example.org" created.

kadmin.local:  ank adrien@example.org
WARNING: no policy specified for adrien@example.org; defaulting to no policy
Enter password for principal "adrien@example.org": 
Re-enter password for principal "adrien@example.org": 
Principal "adrien@example.org" created.

Create the kadmin keytab as explained in the MIT documentation:

kadmin.local:  ktadd -k /etc/krb5kdc/kadm5.keytab kadmin/admin kadmin/changepw
Entry for principal kadmin/admin with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kadmin/admin with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/krb5kdc/kadm5.keytab.

Finally, edit the file /etc/krb5kdc/kadm5.acl to set up users with admin rights:

*/admin@example.org *

Restart kerberos services:

systemctl restart krb5-kdc krb5-admin-server

Check with a client

On another computer, try to get a kerberos ticket with the client.

First, install the client: apt install krb5-user

Then, try to authenticate: kinit adrien@example.org

On success, you can list current tickets with klist:

# klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: adrien@example.org

Valid starting       Expires              Service principal
01. 02. 19 11:30:25  01. 02. 19 21:30:25  krbtgt/example.org@example.org
    renew until 02. 02. 19 11:30:03

To clean the ticket from the client, use: kdestroy.

Cyrus SASL

Install

apt install sasl2-bin libsasl2-modules-gssapi-mit

Configure Cryus SASL

Edit the service environment variables in /etc/default/saslauthd with:

START=yes

MECHANISMS="kerberos5"

KRB5_KTNAME="/etc/localhost.keytab"
export KRB5_KTNAME

According to the value of KRB5_KTNAME above, we'll create a new user and its keytab file with kadmin.local:

kadmin.local:  addprinc -randkey host/localhost
WARNING: no policy specified for host/localhost@example.org; defaulting to no policy
Principal "host/localhost@example.org" created.
kadmin.local:  ktadd -k /etc/localhost.keytab host/localhost
Entry for principal host/localhost with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/localhost.keytab.
Entry for principal host/localhost with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/localhost.keytab.

Finally, restart the saslauthd service: systemctl restart saslauthd

Check saslauthd configuration

There's a little command to check if you can connect with your user through Cyrus SASL:

# testsaslauthd -u adrien@example.org -p 'your password in clear text'
0: OK "Success."

On authentication error, the output will be 0: NO "authentication failed".

If you see other errors, like one with connect() fail, check the daemon saslauthd use the right keytab file and it has access to it.

OpenLDAP

Endly, we are in the final part of the documentation. We just need now to say to OpenLDAP that it can use saslauthd as external authentication mechanism and configure our first user to use it.

Enable Cyrus SASL backend

We need to create a /etc/ldap/sasl2/slapd.conf with these values:

# PLAIN is used by saslauthd
# EXTERNAL is required for local root auth
mech_list: PLAIN EXTERNAL
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

Note that OpenLDAP will need access to /var/run/saslauthd/mux. On my installation, the access to the content of /var/run/saslauthd/ is allowed only to users inside the sasl group, so we add openldap to this group:

adduser openldap sasl

Finally, restart the slapd service: systemctl restart slapd

Modify user to use the SASL backend

Now, we need to modify the adrien@example.org user to authenticate through SASL. That's simply done by setting the prefix {SASL} followed by the kerberos user name (with realm) inside the userPassword attribute.

For example, I've made this ldif file:

# adrien, people, example.org
dn: uid=adrien,ou=people,dc=example,dc=org
changetype: modify
replace: userPassword
userPassword: {SASL}adrien@example.org

Note that to apply this ldif you need to use a user with modification rights on userPassword attribute (the user itself or an administrator).

ldapmodify -f 01_adrien_password.ldif -D "uid=adrien,ou=people,dc=example,dc=org" -w 'your old LDAP password in clear text'

Finally, to check the new password is well set, you can simply try to do a search inside your LDAP directory:

 # ldapsearch -D "uid=adrien,ou=people,dc=example,dc=org" -w 'your new password in clear text' -b '' -s base
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#

#
dn:
objectClass: top
objectClass: OpenLDAProotDSE

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Well done, that was a big job to retrieve every steps to do, thanks a lot of people who documented their steps ! I hope this document will help someone in the future :)

Sources

1. Kerberos installation
2. OpenLDAP with external password backend through sasl2authd
3. OpenLDAP documentation for Pass-Through authentication
4. OpenLDAP Authentication With Kerberos Backend Using SASL