[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Kerberos+LDAP - identity management problems

To: Marius Olsthoorn <marius@kern.nl>, hyc@symas.com
Subject: RE: Kerberos+LDAP - identity management problems
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Tue, 02 Dec 2003 09:53:12 -0800
Cc: OpenLDAP-Software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <63942.217.170.42.254.1070386151.squirrel@webmail.kern.nl>
References: <004201c3b8b9$d37a1600$1801a8c0@CELLO> <63942.217.170.42.254.1070386151.squirrel@webmail.kern.nl>

--On Tuesday, December 02, 2003 6:29 PM +0100 Marius Olsthoorn <marius@kern.nl> wrote:

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Marius
Olsthoorn

> --On Friday, November 28, 2003 4:25 PM +0100 Marius Olsthoorn
> <marius@kern.nl> wrote:

>> Most importently, applications cannot use the same
>> identity name for both authentication and querying
>> LDAP, since using LDAP for authentication is against
>> the spirit of Kerberos.


You need to read up on SASL support in OpenLDAP 2.1. You can use Kerberos
for authentication to LDAP through SASL, so your single Kerberos identity
can be used everywhere.


As far as I know LDAP only maps dns to principles. If I bind to
LDAP it uses my binddn to come up with a Kerberos identity, which
is then used for authentication. So, afaik, its not possible to
use a Kerberos identity to bind with LDAP.


You don't understand SASL/GSSAPI then. :)

For us, it maps our principle to a DN. I bind as "quanah@stanford.edu" via GSSAPI, and that gets mapped to "uid=quanah,cn=acccounts,dc=stanford,dc=edu" via our sasl-regexp statement in slapd.conf.

Sorry if I wasn't clear on this. I was aiming at applications
which have
to authenticate users and use user data. They have to use one
identity in
two 'namespaces'. The first being Kerberos, the second being
LDAP. Since
there is no explicit mapping between the two you might run
into problems.
However, I guess you could use an implicit mapping (a
convention). But then
you have to hardcode the convention in your applications,
which is usually
a bad idea.


No. The slapd administrator needs to explicitly define a mapping in
slapd.conf; no one else needs to worry about the mapping.


True, but when an application (not LDAP) wants to authenticate a
user, it uses Kerberos for this purpose. If it then wants to use
LDAP, it then binds to LDAP as the user's dn! In this setting there
are two identities; the Kerberos principle and the user's binddn.


No, there really isn't.  There is only one.


Another setting would be to use a special dn the application can
use. However, this way it is not possible to use LDAP's acl
mechanism.

Yes it is, it is extremely trivial, we do that with many of our applications.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- RE: Kerberos+LDAP - identity management problems
  - From: "Howard Chu" <hyc@symas.com>
- RE: Kerberos+LDAP - identity management problems
  - From: "Marius Olsthoorn" <marius@kern.nl>

Prev by Date: RE: Kerberos+LDAP - identity management problems
Next by Date: Initial Import fails at first entry (c=de) on a new Suse 9.0 inst allation
Index(es):
- Chronological
- Thread