Re: Authenticate to ldap using Kerberos

[Buchan Milne <bgmilne@staff.telkomsa.net>]

On Thursday, 9 September 2010 08:12:11 Wouter van Marle wrote:
> On Wed, 2010-09-08 at 23:40 -0700, Howard Chu wrote:
> > Wouter van Marle wrote:
> > > On Wed, 2010-09-08 at 21:34 -0500, Dan White wrote:
> > >> On 09/09/10 10:21 +0800, Wouter van Marle wrote:
> > >>>> That requires pass-through authentication.
> > >>> 
> > >>> I see.
> > >>> Well with the above instructions nothing seems to have changed.
> > >>> I have restarted saslauthd and slapd after making the changes, and
> > >>> when now accessing the ldap addressbook using Evolution, I still
> > >>> have to use the ldap stored password, not the krb password.
> > >>> 
> > >>> Wouter.
> > >> 
> > >> To be a little more explicit, to enable pass-through authentication,
> > >> you will need to replace the password (userPassword attribute) with:
> > >> 
> > >> userPassword: {SASL}username@realm
> > > 
> > > When I got it working I am considering to write some tutorial - maybe
> > > useful. I haven't been able to find anything like it on the internet.
> > > The above I have never seen; just once a suggestion to change the
> > > password to {KERBEROS}username but well that also didn't work :)
> > > 
> > > It's much harder to get working than I ever expected, really. And even
> > > more so I'm surprised that openldap doesn't support this "out of the
> > > box", or with some minor settings.
> > 
> > It is not supported out of the box because it's generally the wrong thing
> > to do. It is intentionally undocumented, to discourage people from
> > pursuing this misguided course. Use GSSAPI.
> 
> GSSAPI works:
> $ ldapwhoami -h acorn.squirrel
> SASL/GSSAPI authentication started
> SASL username: wouter@SQUIRREL
> SASL SSF: 56
> SASL data security layer installed.
> dn:uid=wouter,cn=gssapi,cn=auth
> 
> But for whatever reason I have no option to choose GSSAPI as ldap
> authentication method in Evolution.
>

File bugs on Evolution. Kmail/Kaddressbook support GSSAPI ...
 
> And actually now you start calling it "misguided course", I would really
> like to know what the proper course is.

Don't send passwords in the clear to authenticate via Kerberos when you 
already have the means to do so without ever sending the password ....

> My basic request is:
> - no passwords stored in the LDAP database.
> - LDAP authenticates users against a Kerberos server.

Then every LDAP client needs to support SASL, unless you also want:
-Reveal my passwords which are never revealed anywhere else, when I do a 
simple bind to LDAP, and use pass-through authentication

> 
> After a day of googling, searching for terms like the subject of this
> thread, I am not really closer to a solution. All solutions that I DID
> find were following variations of what I tried to do, and what you call
> misguided.
> 
> The thing that I talked about when I mentioned "support out of the box
> or with minor settings" was simply the Kerberos authentication. Why
> doesn't that work easily? Why can I not just tell openldap to use
> kerberos, be it via PAM,

Because Kerberos authentication can't be done via PAM (which only supports 
username/password). You *can* do PAM authentication against a KDC, but this 
should only be done for initial (e.g. physical login) authentication. PAM and 
Kerberos can both be done via SASL, which OpenLDAP supports (but, you haven't 
configured your SASL setup correctly).

> via GSSAPI directly, whatever - the method I
> don't care about - as long as it works. And the frustration now is that
> it still doesn't work.

But, none of it is an OpenLDAP problem, your problems are with:
-Evolution
-SASL


Regards,
Buchan