[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and kerberos integration



Thierry Lacoste wrote:

BTW I'd appreciate any recommandations about providing kerberos and
LDAP authentication (with the same password) in a production
setting.
Should I use Heimdal or MIT kerberos ?
If Heimdal, is it better to use OpenLDAP as a backend for
Kerberos or
let Kerberos use its native backend?
If OpenLDAP as a backend, is it better to use {K5KEY} as the
userPassword or let smbk5pwd synchronize everything?

Read the smbk5pwd README.
I'v read it. Your answer seems to imply that I should use Heimdal and
then OpenLDAP as it's backend.
Am I right?

It's more than just implied. The README says the code was written
for Heimdal. If you want to use smbk5pwd at all, then you must use
Heimdal.
Sorry my question was not very clear.
I wan't LDAP Simple Binds and Kerberos with the same password.
I find smbk5pwd and OpenLDAP as a Heimdal backend very appealing
but maybe there are good reasons to use another Kerberos implementation
and/or store passwords in the Kerberos native backend (adding e.g.
SASL in the mix
to make LDAP Simple Binds use pass-through authentication), obviously
ruling out smbk5pwd.

If all of your clients can use SASL Binds, then that is the best choice, and you can ignore smbk5pwd.

Do you recommend using {K5KEY} as the userPassword?

If you want LDAP Simple Binds to use the same password as Kerberos,
then yes. If not, then no.
AFAICS with smbk5pwd I have two ways to have LDAP Simple Binds and
Kerberos with the same password.
1) force use of ldappasswd to make smbk5pwd synchronize all passwords;
2) assign {K5KEY} to the userPassword and use kpasswd to change a
password.

If I understood correctly, the second method makes the passwords
identical by construction
while the first allow passwords to desynchronize if changed without
ldappasswd.

The point of smbk5pwd is to fully synchronize, that means it works in both directions. When configured correctly and {K5KEY} is used, it doesn't matter whether kpasswd or ldappasswd is used, everything stays in sync.

There is no either-or as you outline with your two choices above. You must use {K5KEY} if you want any of the synchronization to work.
--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/