[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How does Openldap work with Cyrus SASL and MIT Kerberos V



Hi, thank you.
Now, I know much more about SASL's role in my case.
I will read section which suggested.
I will try to configure phpldapadmin to understand more.
Is saslauthd need a realm?
If you have configure phpldapadmin with option
SASL chosen, then lucky me.
If you don't mind, I will come back soon and disturb all you
here more with this problem :)

Thank you all very much.


2008/7/1 Martin Simovic <msimovic@concurrent-thinking.com>:
On Tue, 2008-07-01 at 17:02 +0700, Le Trung Kien wrote:
> Hi, thank you, now I understand what happen underlying the process.
> As you said, then saslauthd do no work in my case. It is just a SASL
> plugin of
> LDAP client works here.
> And now, I have to configure phpldapadmin but I do not know what value
> I should assign
> to SASL realm option, and so on.
> I assumed that I should have a saslauthd for authentication via
> Kerberos, etc. But I am not
> sure.
> Please, could you give me some hint to using SASL in my case ?
>
> thank you.
>
>
>
> 2008/7/1 Buchan Milne <bgmilne@staff.telkomsa.net>:
>
>
>         OpenLDAP does not use Kerberos directly, instead it uses SASL.
>         If your
>         LDAP server has a Kerberos service principal, and has the SASL
>         GSSAPI
>         plugin installed and enabled, then the OpenLDAP client
>         utilities will
>         try appropriate SASL mechanisms (if the user has a ticket).
>
>         So, you are using SASL to authenticate via Kerberos your users
>         when
>         accessing the LDAP service.
>
>         Regards,
>         Buchan
>
>
how did you configure your ldap server + kerberos in first place? did
you use some kind of tool (YAST?) because it does not seem you know
exactly what you are doing (no offence here, it's quite complex stuff)

to resume it all:

you can bind to LDAP server two ways: - simple bind
                                     - SASL bind

look at the simple bind as sending username/password in cleartext to the
server. (insecure if not over SSL/TLS)
SASL on other side can use any of supported mechanisms (DIGEST-MD5,
GSSAPI...)

in your case you use gssapi(kerberos).

if your ldap server is properly configured and you have
libsasl-modules-mit-gssapi (or whatever they call it on your distro)
installed you can bind to ldap server via gssapi (having previously
obtained the TGT ticket) the fact that ldapwhoami works means, that you
have the plugin, you have the ticket, you have the ldap kerberos
pricipal in keytab and the sasl-regexp is properly set up in slapd.conf

now comes the saslauthd into the game:

what if your application which requires authenticate to ldap does not
support SASL(GSSAPI) ? (most addressbooks like outlook, evolution.. does
not)

if your app can do only simple bind to ldap (username/password) you need
a mechanism to forward these to KDC and use the information it gives
back (authentication succeeded). this is what saslauth does. it acts as
the middle man between LDAP and kerberos KDC. this is also called
(according to openldap documentation) an pass-through authentication.
you only need it if you want to use simple (not SASL) binds to LDAP
using kerberos passwords.(SSL in this case is a must)

it's all very nicely described here:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%
20authentication


hope i made it a little bit clearer;

M.





>
> --
> Le Trung Kien.




--
Le Trung Kien.