[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos



On Thu, 2010-09-09 at 10:43 +0200, Dieter Kluenter wrote:
> Wouter van Marle <wouter@squirrel-systems.com> writes:
> 
> > On Wed, 2010-09-08 at 23:40 -0700, Howard Chu wrote:
> >> Wouter van Marle wrote:
> >> > On Wed, 2010-09-08 at 21:34 -0500, Dan White wrote:
> >> >> On 09/09/10 10:21 +0800, Wouter van Marle wrote:
> >> >>>> That requires pass-through authentication.
> >> >>>
> >> >>> I see.
> >> >>> Well with the above instructions nothing seems to have changed.
> >> >>> I have restarted saslauthd and slapd after making the changes, and when
> >> >>> now accessing the ldap addressbook using Evolution, I still have to use
> >> >>> the ldap stored password, not the krb password.
> >> >>>
> >> >>> Wouter.
> >> >>
> >> >> To be a little more explicit, to enable pass-through authentication, you
> >> >> will need to replace the password (userPassword attribute) with:
> >> >>
> >> >> userPassword: {SASL}username@realm
> >> >
> >> > When I got it working I am considering to write some tutorial - maybe
> >> > useful. I haven't been able to find anything like it on the internet.
> >> > The above I have never seen; just once a suggestion to change the
> >> > password to {KERBEROS}username but well that also didn't work :)
> >> >
> >> > It's much harder to get working than I ever expected, really. And even
> >> > more so I'm surprised that openldap doesn't support this "out of the
> >> > box", or with some minor settings.
> >> 
> >> It is not supported out of the box because it's generally the wrong thing to 
> >> do. It is intentionally undocumented, to discourage people from pursuing this 
> >> misguided course. Use GSSAPI.
> >
> > GSSAPI works:
> > $ ldapwhoami -h acorn.squirrel
> > SASL/GSSAPI authentication started
> > SASL username: wouter@SQUIRREL
> > SASL SSF: 56
> > SASL data security layer installed.
> > dn:uid=wouter,cn=gssapi,cn=auth
> 
> You may add an olcAuthzRegexp in order to map the sasl authentication
> string to a Distinguished Name.

Will look into that. I've seen bits and pieces about that before.

> > But for whatever reason I have no option to choose GSSAPI as ldap
> > authentication method in Evolution.
> 
> I don't know either, but my evolution shows the GSSAPI mechanism. In
> fact it shows all on my system available sasl mechanisms.

Mail preferences yes: has some GSSAPI option. I haven't really tried
that out. 

Address book properties: no.
Under the header Authentication I only have a login method (using dn or
email or anonymous), and a field to enter the login name. I can not
choose to use gssapi or whatever special method to authenticate to the
ldap server.

> > And actually now you start calling it "misguided course", I would really
> > like to know what the proper course is.
> >
> > My basic request is:
> > - no passwords stored in the LDAP database.
> > - LDAP authenticates users against a Kerberos server.
> 
> What do you mean by LDAP authenticates users against Kerberos?
> Authentication is the job of KDC, or do you want to run the Kerberos
> Database in LDAP?

KDC authenticates, keeping its own database. That's cool, no need to
stuff that in ldap again.

> > After a day of googling, searching for terms like the subject of this
> > thread, I am not really closer to a solution. All solutions that I DID
> > find were following variations of what I tried to do, and what you call
> > misguided.
> 
> As I mentioned already in a previous mail, it is quite simple to set
> up a kerberized system, just read the installation and administration
> documents of MIT krb5 and configure network based clients to use
> GSSAPI.

The kerberised part is not the problem, that works fine. I'm using that
to log in to my workstations, mail server, etc.

> I think you should get acquainted with principal authentication and
> authorization models, a LDAP server is just a dumb identity storage
> system and not a authentication and authorization broker as you seem
> to expect.

Kerberos is the authentication system, it's specialised in that. At
least that's what I learned about it. I have set it up in order to have
a single sign-on, a single password for all services running on my
network, makes it much easier for me to administer.

LDAP is a specialised database system storing typically personal
information, I also use it for aliases database, userID, groupID, and
other system info. This part works great as well.

Now all I want is for openldap to use kerberos as its authentication
broker. Nothing more, nothing less. LDAP is now authenticating its users
by itself which seems to be the default behaviour, and that's what I
want to get rid of. As you say yourself LDAP is not an authentication
broker, but why can it not easily be configured to use an external
authentication broker, such as pam, which is designed to be just that?

Wouter.

> 
> -Dieter
>