[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Antwort: Simple binds authenticating against Kerberos [Virus checked]
>-----Original Message-----
>From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
denis.havlik@t-mobile.at
>
>>But lets say the person just does a simple bind to LDAP. Is there a way to
tell
>>OpenLDAP to use than username and password against Kerberos to see
>>if it is valid? It seems the OpenLDAP manual parts that I've seen don't
seem to
>> address this (to my understanding).
>
>Documentation for this is indeed badly lacking, but I happen to have done it
recently,
>so let's document it here. :-)
It is not documented because this practice is discouraged.
>In fact there are (at least) two ways to do it. First is by declaring the
userPassword
>to be "{KERBEROS}<principal@REALM>". I have NOT tried this, but from what I
read in
>openLDAP lists, openLDAP developers dislike this method, nobody wants to
maintain it,
>and the corresponding code is therefore disabled by default, and may even be
phased out
>in the future.
Correct. The code for this has been migrated out of the core OpenLDAP
libraries and into the contrib section, where it will hopefully die an
ignominious death.
>Second possibility is to use SASL/GSSAPI. This means that you need to get
>LDAP+SASL/GSSAPI + Kerberos working first.
There is nothing to be gained from getting SASL/GSSAPI working when your goal
is to perform Simple Binds. The two code paths are completely different;
having one work gives you absolutely zero guarantee that the other will work.
Aside from that caveat, the following description appears accurate.
>Up to now, all these steps are (more-or-less) well documented, and I presume
you got the >system working so far. Now comes the funny, and not very well
documented part:
>
>1) saslauthd: This is a demon that takes username/password combination on
the one side, >checks them against (in our case) kerberos server, and gives
back a "OK/not OK" type of >response to program that requested the auth.
check in the first place.
>2) openLDAP is able to "forward" the authentication requests to saslauthd.
>
>Configuration looks like this:
>
>* In LDAP tree, you have to set "userPassword" entries to:
>
> {SASL}<principal>@<REALM>
>
>* saslauthd must be started with "kerberos5" as authentication mechanism. In
Mandrake
>Linux (and probably in RH too), this means defining the
>
> SASL_AUTHMECH="kerberos5" in /etc/sysconfig/saslauthd
>
>(Defining a SASLAUTHD_OPTS="-c" may help with the performance, but can be
done later)
>
>* Finally, you also need a /usr/lib/sasl2/slapd.conf file with
>
> pwcheck_method: saslauthd
>
>
>Disclaimer: I'm still experimenting with this, haven't fully documented the
procedure
>yet, and have major performance and reliability problems at this moment, but
to the best
>of my knowledge that's all you need to get simple bind against kerberos DB
once the
>SASL/GSSAPI binds work correctly.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support