[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL pass-through autentication with a ldap-backend KDC



Guillaume Rousse wrote:
Hello list.

Reading http://www.openldap.org/doc/admin24/security.html#SASL password
storage scheme, I understand autentication can be delegated to an
external mechanisme. Such as, for instance, a kerberos server. In this
case, it is advised to prevent changing passwords in the directory.

That part of the doc appears to be wrong. slapd will call SASL's setpass function to change a SASL password, so there's no reason to prevent changing passwords via LDAP.


Also, the {KERBEROS} delegation scheme has been removed, only SASL delegation is supported.

What happens if the autentication provider is an heimdal server, using
OpenLDAP as its backend, and smbkrb5 overlay to keep ldap, samba and
kerberos password synced ? Does pass-through still work ?

When using the smbk5pwd overlay in such a configuration, there is no pass-through. The Kerberos credentials reside in slapd and slapd validates the authentication directly.


And it is
recommended then to make the userPassword attribute read-ony, but still
use Exop PasswordChange to change samba and kerberos attributes ?

Yes.

I didn't tested it yet, but it look very interesting if it works.
Particulary because heimdal password change through kpassword doesn't
use ExOp PasswordChange operation, but only update kerberos and samba
passwords.

I know smbkrb5 has a special {smbkrb5} password storage scheme for
redirecting autentication against kerberos password internally, not
relying on a external SASL process. But it's only usable if smbkrb5
overlay is available (some of our slaves servers are centos-based, and
don't have this overlay, but still need to autenticate users).

You can always obtain the source tree that was used to build your distro and compile the overlay yourself.


And the
trick of setting password-hash directive in slapd.conf to {smbkrb5} to
prevent overwriting of userPassword attribute on PasswordChange
operation with a normal value has the drawback than even pure ldap
administrative accounts (syncrepl, for instance) get redirected to
kerberos password for autentication, whereas only our users have
principals currently.

The password_hash setting in slapd.conf is only a default. You can explicitly set any hash type on any account.


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/