[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: openldap and kerberos integration
On Thursday, 9 December 2010 21:42:46 Thierry Lacoste wrote:
> Hello,
>
> I'm experimenting with integrating Kerberos and OpenLDAP
> following roughly http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT
>
> I'm using CentOS and Buchan Milne's repository
> (http://staff.telkomsa.net/packages/rhel5/ )
> both for OpenLDAP and Heimdal.
>
> I've almost succeeded except for password integration.
> It seems that the smbk5pwd module provided by openldap2.4-
> servers-2.4.22-1.el5
> in /usr/lib/openldap2.4/smbpwd.so is built without kerberos support.
In Mandriva, the Kerberos implementation in the "main" repository is MIT
Kerberos, while Heimdal is in contrib. As OpenLDAP is in main, it cannot
depend on Heimdal, so by default we build smbk5pwd as smbpwd.so without
Heimdal support, while we have a separate openldap-smbk5pwd package (providing
smbk5pwd.so) in contrib which is built with Heimdal support.
However, I have had problems with this package on CentOS with my Heimdal
packages (slapd would hang or crash on a password change on a Heimdal account
with the module enabled), and due to problems in conjunction with ppolicy
(krb5PasswordEnd not being updated), I don't use it myself on my CentOS
deployment, but rather use the "use Samba passwords" feature.
> With "smbk5pwd-enable krb5" I have the following error:
> /etc/openldap2.4/slapd.conf: line 154: smbk5pwd: <smbk5pwd-enable>
> module "smbk5pwd-enable" only allowed when compiled with -DDO_KRB5.
>
> What is the easiest option to get a kerberos supporting smbk5pwd?
Untested (besides "it installs, it loads, slapd still runs), but built from
the Mandriva openldap-smbk5pwd src.rpm:
http://staff.telkomsa.net/packages/rhel5/openldap2.4-
smbk5pwd-2.4.21-4.el5.i386.rpm
1)Install ('rpm -Uvh http://staff.telkomsa.net/packages/rhel5/openldap2.4-
smbk5pwd-2.4.21-4.el5.i386.rpm' or similar)
2)Change 'moduleload smbpwd.so' to 'moduleload smbk5pwd.so'
3)Restart slapd
Please let me know if this package works for you. If not, it might be time to
update the heimdal packages (which I didn't do earlier due to regressions in
the "use samba passwords" feature which I recently fixed in the Mandriva
packages).
> BTW I'd appreciate any recommandations about providing kerberos and
> LDAP authentication (with the same password) in a production setting.
> Should I use Heimdal or MIT kerberos ?
IMHO, Heimdal provides some advantages over MIT.
> If Heimdal, is it better to use OpenLDAP as a backend for Kerberos or
> let Kerberos use its native backend?
There are some minor complications using hdb_ldap, but I feel the benefits
outweigh them.
> If OpenLDAP as a backend, is it better to use {K5KEY} as the
> userPassword or let smbk5pwd synchronize everything?
Depends on if you have any non-GSSAPI or simple-bind-to-LDAP-server-with-
master-key authentication (e.g. MSCHAPv2).
Regards,
Buchan