[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Antwort: Simple binds authenticating against Kerberos [Virus checked]

To: <denis.havlik@t-mobile.at>, "'Digant Kasundra'" <digant@uta.edu>
Subject: RE: Antwort: Simple binds authenticating against Kerberos [Virus checked]
From: "Howard Chu" <hyc@highlandsun.com>
Date: Thu, 11 Mar 2004 02:02:45 -0800
Cc: <openldap-software@OpenLDAP.org>, <owner-openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <OFAF61A515.B1B24185-ONC1256E54.002EA45C-C1256E54.0031A1B2@t-mobile.at>

>-----Original Message-----
>From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
denis.havlik@t-mobile.at
>
>>But lets say the person just does a simple bind to LDAP.  Is there a way to
tell
>>OpenLDAP to use than username and password against Kerberos to see
>>if it is valid?  It seems the OpenLDAP manual parts that I've seen don't
seem to
>> address this (to my understanding).
>
>Documentation for this is indeed badly lacking, but I happen to have done it
recently,
>so let's document it here. :-)

It is not documented because this practice is discouraged.

>In fact there are (at least) two ways to do it. First is by declaring the
userPassword
>to be "{KERBEROS}<principal@REALM>". I have NOT tried this, but from what I
read in
>openLDAP lists, openLDAP developers dislike this method, nobody wants to
maintain it,
>and the corresponding code is therefore disabled by default, and may even be
phased out
>in the future.

Correct. The code for this has been migrated out of the core OpenLDAP
libraries and into the contrib section, where it will hopefully die an
ignominious death.

>Second possibility is to use SASL/GSSAPI. This means that you need to get
>LDAP+SASL/GSSAPI + Kerberos working first.

There is nothing to be gained from getting SASL/GSSAPI working when your goal
is to perform Simple Binds. The two code paths are completely different;
having one work gives you absolutely zero guarantee that the other will work.

Aside from that caveat, the following description appears accurate.

>Up to now, all these steps are (more-or-less) well documented, and I presume
you got the >system working so far. Now comes the funny, and not very well
documented part:
>
>1) saslauthd: This is a demon that takes username/password combination on
the one side, >checks them against (in our case) kerberos server, and gives
back a "OK/not OK" type of >response to program that requested the auth.
check in the first place.
>2) openLDAP is able to "forward" the authentication requests to saslauthd.
>
>Configuration looks like this:
>
>* In LDAP tree, you have to set "userPassword" entries to:
>
>         {SASL}<principal>@<REALM>
>
>* saslauthd must be started with "kerberos5" as authentication mechanism. In
Mandrake
>Linux (and probably in RH too), this means defining the
>
>        SASL_AUTHMECH="kerberos5" in /etc/sysconfig/saslauthd
>
>(Defining a SASLAUTHD_OPTS="-c"  may help with the performance, but can be
done later)
>
>* Finally, you also need a /usr/lib/sasl2/slapd.conf file with
>
>        pwcheck_method: saslauthd
>
>
>Disclaimer: I'm still experimenting with this, haven't fully documented the
procedure
>yet, and have major performance and reliability problems at this moment, but
to the best
>of my knowledge that's all you need to get simple bind against kerberos DB
once the
>SASL/GSSAPI binds work correctly.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Antwort: Simple binds authenticating against Kerberos [Virus checked]
  - From: denis.havlik@t-mobile.at

Prev by Date: value of naming attribute not present in entry
Next by Date: RE: Adding Schemas
Index(es):
- Chronological
- Thread