[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Kerberos and DIGEST-MD5
Jose Gonzalez Gomez wrote:
Hi there,
I've been searching the web and the mailing list for a solution to
this but haven't been able to find an answer. Sorry if this has been
answered before...
I have managed to install an authentication server using mit-krb5
1.3.3, cyrus-sasl 2.1.18 and openldap 2.1.26. Right now I'm able to
authenticate any user on my network using pam/nss accessing Kerberos and
OpenLDAP, so in order for an user to login she must have a corresponding
Kerberos principal and a LDAP entry with objectClass=posixAccount (among
others). I'm also able to authenticate to LDAP using GSSAPI/Kerberos,
and simple BIND using {SASL}user@REALM in the userPassword attribute (as
it seems that the {KERBEROS} way is deprecated) checking the password
against saslauthd/Kerberos database.
So what's the problem? It seems that to build a LDAPv3 compliant
server I must provide DIGEST-MD5 authentication to the LDAP server, and
this is what I don't know how to achieve in a clean manner. In order to
have DIGEST-MD5 working I must have a clear text password stored
somewhere (correct me if I'm wrong), but it seems that Kerberos doesn't
have it, or I don't know how to use it in the DIGEST-MD5 authentication
process. It seems that Cyrus SASL *does need* this password stored in
its sasldb2 database to be able to successfully offer DIGEST-MD5, but
this would mean that I'd have duplicated information and I'd have to
sync both databases (Kerberos and SASL) whenever a password change
occurs. So, am I missing anything here? Is there any clean solution for
this?
I believe you already received an answer to this question on the
cyrus-sasl mailing list.
The cleanest way to make this work is to use Heimdal Kerberos and set
its KDC to store the Kerberos authentication data in LDAP. Then use the
smbk5pwd module in OpenLDAP's CVS to keep the userPassword and krb5Key
in sync. Synchronization is one-way - when you change passwords using
LDAP then both LDAP and Kerberos will be updated at once, but if you
change passwords using Kerberos only Kerberos will change. Note that
this approach only works with OpenLDAP 2.2 and Heimdal Kerberos. Also
there is no need to use saslauthd when using this method; the LDAP
userPassword simply holds the user's cleartext password. Obviously there
are other security considerations from storing a cleartext password in LDAP.
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support