[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos



Wouter van Marle <wouter@squirrel-systems.com> writes:

> On Wed, 2010-09-08 at 23:40 -0700, Howard Chu wrote:
>> Wouter van Marle wrote:
>> > On Wed, 2010-09-08 at 21:34 -0500, Dan White wrote:
>> >> On 09/09/10 10:21 +0800, Wouter van Marle wrote:
>> >>>> That requires pass-through authentication.
>> >>>
>> >>> I see.
>> >>> Well with the above instructions nothing seems to have changed.
>> >>> I have restarted saslauthd and slapd after making the changes, and when
>> >>> now accessing the ldap addressbook using Evolution, I still have to use
>> >>> the ldap stored password, not the krb password.
>> >>>
>> >>> Wouter.
>> >>
>> >> To be a little more explicit, to enable pass-through authentication, you
>> >> will need to replace the password (userPassword attribute) with:
>> >>
>> >> userPassword: {SASL}username@realm
>> >
>> > When I got it working I am considering to write some tutorial - maybe
>> > useful. I haven't been able to find anything like it on the internet.
>> > The above I have never seen; just once a suggestion to change the
>> > password to {KERBEROS}username but well that also didn't work :)
>> >
>> > It's much harder to get working than I ever expected, really. And even
>> > more so I'm surprised that openldap doesn't support this "out of the
>> > box", or with some minor settings.
>> 
>> It is not supported out of the box because it's generally the wrong thing to 
>> do. It is intentionally undocumented, to discourage people from pursuing this 
>> misguided course. Use GSSAPI.
>
> GSSAPI works:
> $ ldapwhoami -h acorn.squirrel
> SASL/GSSAPI authentication started
> SASL username: wouter@SQUIRREL
> SASL SSF: 56
> SASL data security layer installed.
> dn:uid=wouter,cn=gssapi,cn=auth

You may add an olcAuthzRegexp in order to map the sasl authentication
string to a Distinguished Name.

> But for whatever reason I have no option to choose GSSAPI as ldap
> authentication method in Evolution.

I don't know either, but my evolution shows the GSSAPI mechanism. In
fact it shows all on my system available sasl mechanisms.

 >
> And actually now you start calling it "misguided course", I would really
> like to know what the proper course is.
>
> My basic request is:
> - no passwords stored in the LDAP database.
> - LDAP authenticates users against a Kerberos server.

What do you mean by LDAP authenticates users against Kerberos?
Authentication is the job of KDC, or do you want to run the Kerberos
Database in LDAP?

> After a day of googling, searching for terms like the subject of this
> thread, I am not really closer to a solution. All solutions that I DID
> find were following variations of what I tried to do, and what you call
> misguided.

As I mentioned already in a previous mail, it is quite simple to set
up a kerberized system, just read the installation and administration
documents of MIT krb5 and configure network based clients to use
GSSAPI.
>
> The thing that I talked about when I mentioned "support out of the box
> or with minor settings" was simply the Kerberos authentication. Why
> doesn't that work easily? Why can I not just tell openldap to use
> kerberos, be it via PAM, via GSSAPI directly, whatever - the method I
> don't care about - as long as it works. And the frustration now is that
> it still doesn't work.

I think you should get acquainted with principal authentication and
authorization models, a LDAP server is just a dumb identity storage
system and not a authentication and authorization broker as you seem
to expect.

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de 
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6