Testing LDAP With Kerberos

SSSD’s LDAP provider can be configured to use Kerberos as the authentication provider. The framework provides tools to automatically configure the LDAP domain with auth_provider = krb5, using the Kerberos configuration from given KDC role object. It also provides means to run Kerberos tools such as kinit, klist and kdestroy.

LDAP_KRB5 topology

LDAP_KRB5 is the mark for client + LDAP + KDC with no NFS host. Think of it as BareLDAP plus a KDC fixture.

Setup is handled by LDAPKRB5TopologyController:

• ensure host/<client fqdn> exists in the KDC (create if missing);

• place keys in /etc/krb5.keytab on the client;

• set ldap_krb5_keytab on the LDAP provider defaults when not already set in multihost config.

That is enough for LDAP GSSAPI (ldap_sasl_mech = gssapi) without each test running ktadd/upload itself. Tests still call client.sssd.common.krb5_auth(kdc) and configure the SSSD domain as usual.

See also

• sssd_test_framework.roles.kdc.KDC

• sssd_test_framework.utils.authentication.KerberosAuthenticationUtils

• sssd_test_framework.utils.authentication.AuthenticationUtils.kerberos

Note

To access the KDC role, you need to add additional hostname to the mhc.yaml multihost configuration. For example:

- hostname: kdc.test
  role: kdc
  config:
    realm: TEST
    domain: test
    client:
      krb5_server: kdc.test
      krb5_kpasswd: kdc.test
      krb5_realm: TEST

LDAP with Kerberos authentication example

@pytest.mark.topology(KnownTopology.LDAP)
def test_kdc(client: Client, ldap: LDAP, kdc: KDC):
    ldap.user('tuser').add()
    kdc.principal('tuser').add()

    client.sssd.common.krb5_auth(kdc)
    client.sssd.start()

    with client.ssh('tuser', 'Secret123') as ssh:
        with client.auth.kerberos(ssh) as krb:
            result = krb.klist()
            assert f'krbtgt/{kdc.realm}@{kdc.realm}' in result.stdout