[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP (v1.2.11), Kerberos (MIT Krb5, v1.2.1) and client software
If you want to take advantage of Kerberos V, you really should
use OpenLDAP 2.0. OpenLDAP 2.0 supports SASL/GSSAPI. Setup
of slapd requires only creation of a service key and making
that key available to slapd via a keytab. Basic instructions
can be found in http://www.openldap.org/devel/admin (draft
of the 2.1 guide, the GSSAPI part should apply to 2.0 but the
authorization part doesn't).
OpenLDAP 1.2 has very little support for Kerberos V, namely
simple password verification. This feature should be avoid.
OpenLDAP 1.2 also supports LDAP Kerberos bind, but this requires
Kerberos IV. It is deprecated in favor of SASL/GSSAPI. The
various krb attributes you might find in the schema are for
kbind and are not needed when using SASL/GSSAPI.
Kurt
At 03:35 PM 1/25/01 +0100, Turbo Fredriksson wrote:
>I've been having OpenLDAP/PAM authentication for about a year now,
>with very little trouble (every now and then the server dies, and
>replication isn't so auto magic I'd hoped for).
>
>I am now on the verge of the next big step, KERBEROS!
>
>I post this mail in the hopes that I will understand better what I'm
>about to do, and to see if I am mixing things up, or if I am way out
>on the left field... :)
>
>
>I am currently setting up Kerberos/PAM on my laptop/workstation/development
>platform and so far so good... I have great hopes that this will work
>just fine...
>
>
>What i would like, in the end, is to have all this
>(OpenLDAP/Kerberos/QmailLDAP etc) as one. That is, not two passwords,
>but one...
>
>Kerberos between the OpenLDAP master/replicas, kerberos from the
>client machines (using pam_ldap) to the OpenLDAP database, and the
>possibility to have a 'single-sign-on' kind'a system (using Kerberos
>tickets).
>
>
>That is, _ALL_ communication to the OpenLDAP database should use
>Kerberos. That include QmailLDAP/Controls doing kerberos
>authentication/encrypted communication to the OpenLDAP server.
>
>Preferably the 'kerberosSecurityObject' objectclass (with the attribute
>'krbName') should somehow be used in all this to...
>
>
>* First question: IF I recompile OpenLDAP '--with-kerberos', how is the
> kerberos authentication/encryption done? Is it up to the client software
> to do the kerberos init?
>
>* Second question: How do I combine OpenLDAP with (MIT) Kerberos?
>
>* Third question: How do I make my client machines (from/via PAM I suppose)
> to use kerberos to the LDAP database?
>
>* Fourth question: Since I'm doing round-robin to the LDAP database
> (currently only one master, and one replica but more replicas are planned),
> would that somehow disturb the 'Kerberos ticketing stuff' (sorry for the
> use of a bad word, but I'm just starting to learn about 'this Kerberos stuff'
> :).
>
>
>Anything else that I might have overlooked, or should study closer? Is there
>some kind of (mini/micro) HOWTO/FAQ that I can take a look at to understand
>the issue(s) better?
>
>--
> Turbo __ _ Debian GNU Unix _IS_ user friendly - it's just
> ^^^^^ / /(_)_ __ _ ___ __ selective about who its friends are
> / / | | '_ \| | | \ \/ / Debian Certified Linux Developer
> _ /// / /__| | | | | |_| |> < Turbo Fredriksson turbo@tripnet.se
> \\\/ \____/_|_| |_|\__,_/_/\_\ Stockholm/Sweden