[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Pass-Through authentication

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 15/11/2010, at 23:04, Paulo Jorge N. Correia (paucorre) wrote:
> 
> # Hernani Correia, Users, cisco.com
> dn: CN=Paulo Correia,CN=Users,DC=consolidated,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> cn: Hernani Correia
> sn: Correia
> givenName: Hernani
> userPassword: {SASL}Paulo.Correia@cisco.com
> userPrincipalName: Paulo.Correia@cisco.com
> mail: Paulo.Correia@cisco.com
> 
> # Hernani Correia, Users, cisco.com
> dn: CN= William Brown,CN=Users,DC=consolidated,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> cn: William Brown
> sn: Brown
> givenName: William
> userPassword: {SASL}William.Brown@mit.edu
> userPrincipalName: William.Brown@mit.edu
> mail: William.Brown@mit.edu
> 
> I need to bind based on the domain not a single bind in SASL.
> 
> Can you help ?

Its good to know for sure what you wanted to do. 

Jonathan seemed to have a solution for you.

My answer is to stop using AD as LDAP for authentication, and start treating them as KDC's. 

For example on my own server, I have multiple KDC's listed, for users, as in your situation, and each user works.

uid=william,ou=Users
userPassword: {SASL}william@CHOCOLATE.LAN

uid=michael,ou=Users
userPassword: {SASL}michael@CONCRETE.LAN


In my setup i have in slapd.conf (the sasl slapd.conf)

pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

Then i launch saslauthd with '-a kerberos5' , and there should be a relevant option for this on your distribution of choice.

Finally, i configure my servers krb5.conf (generally /etc/krb5.conf). Default settings are fine for this to use a AD kdc

this is my AD krb5 centre


[realms]
    CHOCOLATE.LAN = {
        kdc = beatrice.chocolate.lan
        }
[domain_realm]
	.firstyear.id.au = CHOCOLATE.LAN

Then, the @REALM attribute on userPassword will respect the relevant KDC (or in this case ADDC) of choice for a user.

Note: Yes, my home krb5 and ldap are chocolate.lan. I couldnt be bothered accessing my work servers. 

> 
> Paulo
> 
> 
> 
> -----Original Message-----
> From: Indexer [mailto:indexer@internode.on.net] 
> Sent: Monday, November 15, 2010 11:44 AM
> To: Paulo Jorge N. Correia (paucorre)
> Cc: openldap-technical@openldap.org
> Subject: Re: Pass-Through authentication 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> On 15/11/2010, at 04:59, Paulo Jorge N. Correia (paucorre) wrote:
> 
>> Hi all,
>> 
>> I'm just starting with openLDAP and saslauth, and I'm trying to 
>> replicate what I can achieve with ADAM/AD LDS in Windows platform.
>> 
>> 
>> 
>> I'm trying to use openldap to aggregate user information from several 
>> AD servers under different forests.
>> 
>> 
>> 
>> So single point of contact from an LDAP perspective for an 
>> organization, and then openldap should pass-through the authentication
> 
>> request that receives to the AD DC of the respective user.
>> 
>> 
>> 
>> This works well with saslauthd for a single domain, but if I need to 
>> do this with multiple domains, I don't know how to configure
> saslauthd.
> 
> Windows, and AD utilise kerberos. Just treat your AD servers as KRB5
> realms, and it works. both MIT and Hemidal can work with this, so
> following the passthrough instructions for these will work
> 
> Alternatively, you can use AD as an ldap server, but it follows much the
> same principals.
> 
> http://www.openldap.org/doc/admin24/security.html
> 
> 
> 
>> 
>> 
>> 
>> Can someone help ?
>> 
>> 
>> 
>> Thank you,
>> 
>> Paulo
>> 
> 
> William Brown
> 
> pgp.mit.edu
> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
> 
> iQIcBAEBAgAGBQJM4R0OAAoJEHF16AnLoz6JlK8QAK0YtQX1y6J/yH1dq36zyr0x
> p6gA7j6/pWwqzspUcC5srESejrx76Yn9wGOGku3epCu4QwcEtx9MOVPdhmBT9hCk
> wXUnvP+4ePpo2wAMvrrkv+K0FfNbAQVJt44zGzrGxRrfSVPqkU+B0nsFYCbxjUF0
> NHS3p+XRftqnQNOnsH3aNgB5HDnA5romlq3ikdSyUQRIZpt+BD7ueu07BVG5qhFN
> 6L/rT8JfLI2X/Liw70LeZg1XifZDyOMXfbaj84Q6JeyObdQidPYXKev9Nlm5CDt/
> qOh1ZYTPoUuz7oLRjjNEnHXXiSeGB3DeHxoY+wsgnNd9AnLPKHn4xxFz65DQAUva
> LtJxxFpVOE4uTCTx+Sl58v3qfn87CtxX/EdHw1th25E3L+zh3LCfVG9uRApbwYeI
> Sb7BH8N7varUnrm1ZoqSZ1EO31jrBNjfqOwXMs7jLJBLlEobPUuX3mk5TehgyrD8
> 0zLPbaVIzN5Dq/PTG7pT27D/9ABbqTGr0lpridxyDQSzPrBP4Pvx6EdmxqDbuY3n
> jDW7F3Xixxg0gPoi+/5A9XO7x0nf3TUnV4s9n3gFiRMAAQWs3gks7kgup/+1Rv7k
> NvDoA7D1j3oaxd2/o+moHRA9Ko7xY5NqJuyJVXRUdKFwiohxN+t1mlsqF4X3oFTv
> xGxKYpsUBdZMKHONbA7v
> =X3CH
> -----END PGP SIGNATURE-----

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)

iQIcBAEBAgAGBQJM4S6eAAoJEHF16AnLoz6JXggQAL2visI6hJ4Aqx2gW8NQ9pUn
9CZ3oBPJdaBYQvrnLyqAjGQYZ7fUsYrypuYZMTGVD0mWSfhzs7KT0FIhHAEPuGiu
rdH3bfQFb/kkRn2GST2q6rf5DThOZBVLE9jIkGtTnJlHhF/h9lP0WDnKguxsYYaX
WuPropxzq5V947sEPGWQC7cAwSTlrcrfhlDjBiOWrXj11SAryE3HRFhZKNz6A/hu
wajxBGxAPpKFtw0vPczMIzlbWi/wi7TmcudWHd5ce+LRy7YMJ6ndgKWd/4O2ReNi
zIX/flzAupmCYDXD4Y9zhVotOo1jBN7Iv4V2I63vxq/uxdMihHhNIwtSOnP5EHuq
VBOEJZz9dnJl7IOC8pwtwX0vdpOV7G4Wr6d3R0OQoE2bUGrNBNGKwPBG5gkiQN4v
Uv/OrDJ07+PKSQ+g0CE8iubtyhnX2neU1QTDjZ3PPGkG+l1dyrGp6juv2NfAD5N+
Jlsg5xuxqTbJ+/1mm4szwJEqHrCFBNEeWblCagPdVWVb7x3I7fNpSKCeZgVqC7P4
OWkst3bUY6Ebk6q3qg2B/AQ1snp0EFE9FcqFG+0VQK9KvnRwV6/RTcy05/7fQg+g
7wNdL2VBb/9pYuFi9r23IFuOCkCpu1UJIHTeOCbK2N+RmFQHiGPWOp11LEyVZTRk
j2WQWYQWWbltqAe5jVnO
=zd2D
-----END PGP SIGNATURE-----