[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Kerberos + LDAP + Cyrus-SASL woes

To: <awilliam@whitemice.org>, <james@oicgroup.net>
Subject: RE: Kerberos + LDAP + Cyrus-SASL woes
From: "Howard Chu" <hyc@highlandsun.com>
Date: Wed, 26 May 2004 22:47:41 -0700
Cc: "'OpenLDAP.org'" <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <1085609896.8170.8.camel@estate3.whitemice.org>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Adam Tauno
Williams

> > What we have so far:
> > 	A working LDAP server that we can bind to and query.
> > 	A working kerberos KDC that is issuing tickets.
> > 	A PAM setup that has moved the UNIX authentication
> >      (/etc/passwd) into LDAP.
> >
> > The final product would provide central user authentication (the
> > Kerberos KDC) and user account management (LDAP), thus
> providing many of
> > the services of a Windows Active Directory server.

There is far more required than this if you actually want to replace AD.

>  What we
> are stuck on
> > is not so much a configuration or software issue as it is a
> conceptual
> > snag.  Where should Kerberos tickets (and possibly keytabs)
> be stored to
> > interoperate with LDAP?  How is LDAP supposed to contact the KDC and
> > receive a ticket?

An LDAP server never needs to request a ticket. Only clients need tickets. An
LDAP client would use SASL/GSSAPI in this case, which obtains a service
ticket automatically.

> The LDAP server must have a service ticket in it's keytab.
> That keytab can be wherever you want; it is specified in slapd.conf.

A keytab stores keys, not tickets. The difference is quite significant; a
ticket is a short-lived piece of authentication data, a key is long-lived and
is the equivalent of a plaintext password (and must be protected as well as a
password).

> Perhaps you should look at Heimdal, where you can store the principal
> database in the DSA itself.

Agreed. Symas can provide you with a Heimdal build fully integrated with our
OpenLDAP build.

> > Is the user supposed to run kinit -f upon login?

> Eh?  PAM can acquire the tickets on behalf of the user, when
> then enter
> via login, xdm, gdm, etc...  The pam_krb5 module does this by default.

Yes.

> You should ask questions about various services on lists specific to
> those services (admittedly the delineation of the various
> components can be a bit tough to grasp at first).
>
> > Our company, the OIC Group, is looking for someone who really knows
> > Kerberos and LDAP inside and out, and is willing to lend a
> hand, either
> > as a consultant, or a contract system administrator.  OIC
> is willing to
> > pay for services rendered.  Our only requirement is that the working
> > implementation / configuration be well-documented for
> future reference.
> > Any help / direction / guidance is greatly appreciated.

Symas Corp. offers consulting/support in this area. We've done significant
amounts of the development in all of these technologies over the years, and
our expertise is second-to-none.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Re: Kerberos + LDAP + Cyrus-SASL woes
  - From: Adam Tauno Williams <awilliam@whitemice.org>

Prev by Date: Re: Using OpenLDAP schema syntax rules in web form validation
Next by Date: AW: entry store failed
Index(es):
- Chronological
- Thread