OS authentication with ldap
search cancel

OS authentication with ldap


Article ID: 271903


Updated On:


CA API Gateway


Trying to get OS authentication setup with kerberos on new version 11 appliances.

I've created a bind account and keytab as indicated, but I get the errors below.

I obtained a packet trace, and I don't see a bind attempt.

Is there some way to figure out exactly why authentication is failing? The packet trace shows a single query and response, followed by an unbind. I'll attach the packet trace in case that's useful. 

(2023-07-20 16:38:06): [be[ldap]] [sasl_bind_send] (0x0020): ldap_sasl_interactive_bind_s failed (-2)[Local error]
(2023-07-20 16:38:06): [be[ldap]] [sdap_cli_connect_recv] (0x0040): Unable to establish connection [1432158227]: Authentication Failed


Release : 11.0


Kerberos needs to do a forward and reverse lookup of hostname to ip / ip to hostname 

Using the AD load balancer name in sssd.conf result in the lookup failing 

ad_server =  <AD_Load_Balancer>

(2023-08-10 10:54:52): [be[ldap]] [be_resolve_server_process] (0x0200): Found address for server <HostName>: [<IP_Address1>] TTL 900

The reverse lookup for <IP_Address1> is not <AD_Load_Balancer>, but a actual AD server (KDC) 



For Kerberos forward/reverse lookup is required 

Step1 query DNS/KDC to get a list of servers 

NSLOOKUP on the Kerberos service provides all the IP and hostname 

 # nslookup -type=srv _kerberos._tcp.<DOMAIN_NAME>
Server:         <IP_ADDRESS>
Address:        <IP_ADDRESS>

_kerberos._tcp.<DOMAIN_NAME>  service = 0 100 88 server1.<Domain_Name>.
_kerberos._tcp.<DOMAIN_NAME>  service = 0 100 88 server2.<Domain_Name>.
_kerberos._tcp.<DOMAIN_NAME>  service = 0 100 88 server3.<Domain_Name>.
_kerberos._tcp.<DOMAIN_NAME>  service = 0 100 88 server4.<Domain_Name>.
_kerberos._tcp.<DOMAIN_NAME>  service = 0 100 88 server5.<Domain_Name>.
_kerberos._tcp.<DOMAIN_NAME>  service = 0 100 88 server6.<Domain_Name>.

Changed the sssd.conf

ad_server =  server1.<Domain_Name>