[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Kerberos and DIGEST-MD5
Jose Gonzalez Gomez wrote:
The cleanest way to make this work is to use Heimdal Kerberos and set
its KDC to store the Kerberos authentication data in LDAP. Then use
the smbk5pwd module in OpenLDAP's CVS to keep the userPassword and
krb5Key in sync. Synchronization is one-way - when you change
passwords using LDAP then both LDAP and Kerberos will be updated at
once, but if you change passwords using Kerberos only Kerberos will
change. Note that this approach only works with OpenLDAP 2.2 and
Heimdal Kerberos. Also there is no need to use saslauthd when using
this method; the LDAP userPassword simply holds the user's cleartext
password. Obviously there are other security considerations from
storing a cleartext password in LDAP.
So you gain the ability to offer DIGEST-MD5 authentication without
having duplicated password information, but then you lose the
possibility of letting users change their passwords using the standard
unix/linux/kerberos tools. The first obvious implication of this
approach is that you will have a hard time trying to enforce any
password policy in your network, as this usually involves an expired
password that must be changed at logon time using pam, and enforcing the
quality of the password using kerberos policies... am I missing anything
here? Should I use a combination of cracklib/ldap modules for password
and kerberos modules for auth/account/session in pam? Would such a setup
work?
Use pam_ldap instead of pam_krb, and you'll be able to change your
passwords using the standard Unix/Linux tools. Password policy
enforcement is also available in OpenLDAP CVS.
Regarding the smbk5pwd... will this be included in a future release
of OpenLDAP?
Don't know; I wrote this following a request from Andrew Bartlett on the
Samba project but he went quiet and no one else provided any feedback so
it seems there hasn't been any demand/interest.
And a final question regarding Kerberos... until now I've
been using mit-krb5, do you recommend heimdal over mit for any reason?
Well, the most obvious reason is that the MIT KDC doesn't support LDAP.
There are other reasons that have been hashed out on this list countless
times, read the mailing list archive.
--
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support