[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP (v1.2.11), Kerberos (MIT Krb5, v1.2.1) and client software



If you want to take advantage of Kerberos V, you really should
use OpenLDAP 2.0.  OpenLDAP 2.0 supports SASL/GSSAPI.  Setup
of slapd requires only creation of a service key and making
that key available to slapd via a keytab.  Basic instructions
can be found in http://www.openldap.org/devel/admin (draft
of the 2.1 guide, the GSSAPI part should apply to 2.0 but the
authorization part doesn't).

OpenLDAP 1.2 has very little support for Kerberos V, namely
simple password verification.  This feature should be avoid.

OpenLDAP 1.2 also supports LDAP Kerberos bind, but this requires
Kerberos IV.  It is deprecated in favor of SASL/GSSAPI.  The
various krb attributes you might find in the schema are for
kbind and are not needed when using SASL/GSSAPI.

Kurt

At 03:35 PM 1/25/01 +0100, Turbo Fredriksson wrote:
>I've  been having OpenLDAP/PAM  authentication for  about a  year now,
>with  very little trouble  (every now  and then  the server  dies, and
>replication isn't so auto magic I'd hoped for).
>
>I am now on the verge of the next big step, KERBEROS!
>
>I post this  mail in the hopes that I will  understand better what I'm
>about to do, and  to see if I am mixing things up, or  if I am way out
>on the left field... :)
>
>
>I am currently setting up Kerberos/PAM on my laptop/workstation/development
>platform and so far so good... I have great hopes that this will work
>just fine...
>
>
>What   i   would   like,  in   the   end,   is   to  have   all   this
>(OpenLDAP/Kerberos/QmailLDAP etc) as one.  That is, not two passwords,
>but one...
>
>Kerberos  between  the  OpenLDAP  master/replicas, kerberos  from  the
>client  machines (using pam_ldap)  to the  OpenLDAP database,  and the
>possibility to  have a 'single-sign-on' kind'a  system (using Kerberos
>tickets).
>
>
>That  is, _ALL_  communication  to the  OpenLDAP  database should  use
>Kerberos.    That    include    QmailLDAP/Controls   doing    kerberos
>authentication/encrypted communication to the OpenLDAP server.
>
>Preferably the 'kerberosSecurityObject' objectclass (with the attribute
>'krbName') should somehow be used in all this to...
>
>
>* First question: IF I recompile OpenLDAP '--with-kerberos', how is the
>  kerberos authentication/encryption done? Is it up to the client software
>  to do the kerberos init?
>
>* Second question: How do I combine OpenLDAP with (MIT) Kerberos?
>
>* Third question: How do I make my client machines (from/via PAM I suppose)
>  to use kerberos to the LDAP database?
>
>* Fourth question: Since I'm doing round-robin to the LDAP database
>  (currently only one master, and one replica but more replicas are planned),
>  would that somehow disturb the 'Kerberos ticketing stuff' (sorry for the
>  use of a bad word, but I'm just starting to learn about 'this Kerberos stuff'
>  :).
>
>
>Anything else that I might have overlooked, or should study closer? Is there
>some kind of (mini/micro) HOWTO/FAQ that I can take a look at to understand
>the issue(s) better?
>
>-- 
> Turbo     __ _     Debian GNU     Unix _IS_ user friendly - it's just 
> ^^^^^    / /(_)_ __  _   ___  __  selective about who its friends are 
>         / / | | '_ \| | | \ \/ /   Debian Certified Linux Developer  
>  _ /// / /__| | | | | |_| |>  <  Turbo Fredriksson   turbo@tripnet.se
>  \\\/  \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden