RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: Michael Torrie [mailto:torriem@cs.byu.edu]

> On Fri, 2002-04-12 at 21:40, Howard Chu wrote:
> > You can do this if your Kerberos installation includes libgss,
> and you also
> > need to install Cyrus SASL, then reconfigure/rebuild OpenLDAP with SASL
> > support.
>
> Of course.  I did mention that I already have OpenLDAP doing pass-thru
> authentication against kerberos (each user has a {kerberos} entry in
> userPassword).

"Of course" what? Performing LDAP binds with Kerberos passwords says
nothing about SASL. The two are completely independent mechanisms and
you said nothing about whether or not you have a working SASL installation.
The values in a userPassword attribute are only used in LDAP Simple Binds.
When you bind with SASL, the userPassword attribute is completely
irrelevant.

Wherever you got the notion that the two are dependent, is completely wrong.

> What I really want to know is if I can get a kerberos ticket ahead of
> time and use it with LDAP, through kinit.  This is for the purpose of
> binding as administrator.

Yes, if you have SASL working.
>
> What principal do I use when I kinit (say when I want to bind as the
> manager) and do I have to pass any special options to ldapsearch to use
> the ticket.  Also, can any application that links against the ldap
> libraries (such as php_ldap) transparently use the ticket?  That's my
> real question.

You use whatever principal you want. Any application that can perform
a SASL bind will have access to whatever credentials the given user has.
You probably need to include the "-Y GSSAPI" option with ldapsearch because
SASL tends to pick MD5-DIGEST by preference. (It actually defaults to the
mechanism with the highest security factor, and GSSAPI is always considered
to use single-DES, 56-bit, while MD5-DIGEST is treated as 128-bit.)

> Most apps need a keytab file that the service (LDAP) uses to verify that
> the ticket is authentic.  I've seen no mention of this in OpenLDAP
> stuff.  I know that it's done through cyrus SASL, though, so I may look
> there.

There is no mention of it in OpenLDAP stuff because it is not particular to
OpenLDAP. Any Kerberized service needs to have access to its key, and there
are no exceptions. OpenLDAP finds its key the same way every other
Kerberized
service does, so yes, read your Kerberos docs. The SASL docs are no use,
because SASL has no special mechanisms for locating the GSSAPI keys.

> Normally OpenLDAP can talk to kerberos because it's the one requesting
> the ticket.  In this case I request the ticket and pass it to LDAP.
> ldapsearch does have a "-k" option that seems to indicate this is what
> it would do but it only works with krb4.
>
> Does that make sense?

I understand what you're saying, but no it doesn't make sense. From a
security standpoint the whole notion of the "{KERBEROS}user@realm"
userPassword construct is totally bogus. You go through the trouble of
creating a cryptographically secure authentication secret, and then you
place it somewhere where the only way it can get used is if the user submits
his password in plaintext??? Ridiculous.

In my opinion, all of those fancy "{SCHEME}passwordcookie" mechanisms are
pure garbage. They completely nullify whatever enhanced security the
particular password scheme offered, because they require the "guarded"
secret to be transmitted in cleartext over the network. At some point I
think they're going to have to get ripped out of the source and thrown away;
they just encourage poor security practices as-is.

If you stuck with Kerberos via SASL/GSSAPI you'd be pretty safe, if it
weren't for all the bugs in the SASL libraries... SASL/MD5-DIGEST is pretty
reliable. SASL/EXTERNAL is my personal favorite, but the OpenLDAP 2.0
implementation is basically unusable. 2.1 works a lot better.

I saw someone recommend using SASL/GSSAPI over a TLS session. This is
overkill, since both TLS and SASL are performing encryption at the same
time.

> >   -- Howard Chu
> >   Chief Architect, Symas Corp.       Director, Highland Sun
> >   http://www.symas.com               http://highlandsun.com/hyc
> >   Symas: Premier OpenSource Development and Support
> >
> > > -----Original Message-----
> > > From: owner-openldap-software@OpenLDAP.org
> > > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> Michael Torrie
> > > Sent: Friday, April 12, 2002 7:16 PM
> > > To: openldap-software@OpenLDAP.org
> > > Subject: can I use a kerberos ticket with ldapsearch (and ldap
> > > libraries)
> > >
> > >
> > > I've searched for this, and found some info, but I'm still confused.
> > >
> > > If openldap was configured appropriately, can I bind to LDAP using a
> > > kerberos ticket obtained with kinit?  I realize there are ACLs to deal
> > > with, and kerberos support has to be turned on in ldap.  Right now I
> > > have my manager entity have a kerberos password in the
> slapd.conf file.
> > > When I bind as manager and give the password, slapd is able to verify
> > > that password using kerberos.  But can I init to that principal first
> > > and then use ldapsearch?  If so, can I also use ldap libraries and
> > > things like the php_ldap stuff with this ticket too?
> > >
> > > I saw an option -k in ldapsearch, but that has to do with krb5 and
> > > LDAPv2.  I'm trying to do an LDAPv3 system.
> > >
> > > Any pointers to docs would be great.  I already have an LDAP
> system set
> > > up (using kerberos for password verification) and Samba 2.2.2 working
> > > great.  Just want to know about the kerberos ticket thing.
> > >
> > > Thanks,
> > > Michael