[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Kerberos+LDAP - identity management problems





--On Tuesday, December 02, 2003 6:29 PM +0100 Marius Olsthoorn <marius@kern.nl> wrote:

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Marius
Olsthoorn

> --On Friday, November 28, 2003 4:25 PM +0100 Marius Olsthoorn
> <marius@kern.nl> wrote:

>> Most importently, applications cannot use the same
>> identity name for both authentication and querying
>> LDAP, since using LDAP for authentication is against
>> the spirit of Kerberos.

You need to read up on SASL support in OpenLDAP 2.1. You can use Kerberos for authentication to LDAP through SASL, so your single Kerberos identity can be used everywhere.


As far as I know LDAP only maps dns to principles. If I bind to LDAP it uses my binddn to come up with a Kerberos identity, which is then used for authentication. So, afaik, its not possible to use a Kerberos identity to bind with LDAP.

You don't understand SASL/GSSAPI then. :)

For us, it maps our principle to a DN. I bind as "quanah@stanford.edu" via GSSAPI, and that gets mapped to "uid=quanah,cn=acccounts,dc=stanford,dc=edu" via our sasl-regexp statement in slapd.conf.


Sorry if I wasn't clear on this. I was aiming at applications
which have
to authenticate users and use user data. They have to use one
identity in
two 'namespaces'. The first being Kerberos, the second being
LDAP. Since
there is no explicit mapping between the two you might run
into problems.
However, I guess you could use an implicit mapping (a
convention). But then
you have to hardcode the convention in your applications,
which is usually
a bad idea.

No. The slapd administrator needs to explicitly define a mapping in slapd.conf; no one else needs to worry about the mapping.

True, but when an application (not LDAP) wants to authenticate a user, it uses Kerberos for this purpose. If it then wants to use LDAP, it then binds to LDAP as the user's dn! In this setting there are two identities; the Kerberos principle and the user's binddn.

No, there really isn't. There is only one.


Another setting would be to use a special dn the application can use. However, this way it is not possible to use LDAP's acl mechanism.

Yes it is, it is extremely trivial, we do that with many of our applications.


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html