Re: Authenticate to ldap using Kerberos

[Russ Allbery <rra@stanford.edu>]

Dan White <dwhite@olp.net> writes:
> On 09/09/10 20:05 -0700, Russ Allbery wrote:

>> If you are using Kerberos, you should never have to enter your username
>> and password into anything that isn't kinit or your initial
>> authentication to your system.  If you do, that something is broken and
>> is not using Kerberos properly.  Period.

> So if the poster had stated that he wanted to perform PAM authentication
> for his simple binds, I don't think he'd be confronted with such a
> violent reaction. However, from the standpoint of slapd, that's exactly
> what he's wanting to do.

Oh, probably not.  Because we'd all assume that he didn't have Kerberos or
didn't want to use it.  What gets me is going to all the work to set up
Kerberos and then not getting the benefit of it.

I know it's common, and it's hard to avoid, but it bugs me.

But I only jumped in because there was a lot of confusion over just how
Kerberos authentication works.  Sending a password to the server which
then checks it against the Kerberos KDC is *not* Kerberos authentication.
That's not the Kerberos protocol.  If that's what you want to do, then
OpenLDAP does indeed support it, and sometimes that's what you have to do,
but you should know that it's not Kerberos and you're losing the security
benefit from Kerberos by doing that.

>> SASL is what you do when you implement Kerberos properly.  Evolution is
>> not doing this.  It's either implementing a broken version of SASL
>> where it only implements a single mechanism (PLAIN), or it's actually
>> not doing SASL at all (most likely).  The problem is exactly that
>> Evolution is not properly implementing Kerberos SASL mechanisms.

> Would you agree that any application which does not support the full
> range of SASL mechanisms is broken?

When the same application already supports the full range of SASL
mechanisms for IMAP?  When the application is on a platform (Linux) with
client libraries generally already available for doing LDAP queries with
proper full SASL support?  Yes, absolutely, without question.

> What about simple binds? Would you suggest that OpenLDAP remove all
> support for simple binds? If not, why not?

We disable simple binds (apart from anonymous; I don't recall if that's
considered simple or not) on our LDAP servers.  I don't think removing all
support for them is a good idea because backward compatibility with broken
software is frequently required in the real world.  But that doesn't make
the software not broken.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>