[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos + LDAP + Cyrus-SASL woes

To: james@oicgroup.net
Subject: Re: Kerberos + LDAP + Cyrus-SASL woes
From: Adam Tauno Williams <awilliam@whitemice.org>
Date: Wed, 26 May 2004 18:18:17 -0400
Cc: "OpenLDAP.org" <openldap-software@OpenLDAP.org>
In-reply-to: <1085608258.23946.13.camel@james.office.oic>
References: <1085608258.23946.13.camel@james.office.oic>

One REALLY should not post across lists,  you're going to piss people
off, and thus NOT help yourself.

> What we have so far:
> 	A working LDAP server that we can bind to and query.
> 	A working kerberos KDC that is issuing tickets.
> 	A PAM setup that has moved the UNIX authentication (/etc/passwd) into
> LDAP.
> 
> The final product would provide central user authentication (the
> Kerberos KDC) and user account management (LDAP), thus providing many of
> the services of a Windows Active Directory server.  What we are stuck on
> is not so much a configuration or software issue as it is a conceptual
> snag.  Where should Kerberos tickets (and possibly keytabs) be stored to
> interoperate with LDAP?  How is LDAP supposed to contact the KDC and
> receive a ticket?  

The LDAP server must have a service ticket in it's keytab.  That keytab
can be wherever you want; it is specified in slapd.conf.

Perhaps you should look at Heimdal, where you can store the principal
database in the DSA itself.

> Is the user supposed to run kinit -f upon login?

Eh?  PAM can acquire the tickets on behalf of the user, when then enter
via login, xdm, gdm, etc...  The pam_krb5 module does this by default.

You should ask questions about various services on lists specific to
those services (admittedly the delineation of the various components can
be a bit tough to grasp at first).

> Our company, the OIC Group, is looking for someone who really knows
> Kerberos and LDAP inside and out, and is willing to lend a hand, either
> as a consultant, or a contract system administrator.  OIC is willing to
> pay for services rendered.  Our only requirement is that the working
> implementation / configuration be well-documented for future reference.
> Any help / direction / guidance is greatly appreciated.

Perhaps you should contact the "Linux Box" (www.linuxbox.nu) as they
provide some of the exact services your talking about (LDAP, KrbV,
AFS).  They are in east Michigan, so not terribly far from Peoria.  [
NOTE: I have no financial connection with the Linux Box what-so-ever, or
official connections of ANY type.  But I can vouch for their competence.
]

Follow-Ups:
- RE: Kerberos + LDAP + Cyrus-SASL woes
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- Kerberos + LDAP + Cyrus-SASL woes
  - From: James Hunt <james@oicgroup.net>

Prev by Date: Openldap and going from Redhat 8 to 9
Next by Date: Re: Using OpenLDAP schema syntax rules in web form validation
Index(es):
- Chronological
- Thread