[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos with LDAP backend: password sync

To: Nick Milas <nick@eurobjects.com>
Subject: Re: Kerberos with LDAP backend: password sync
From: Dan White <dwhite@olp.net>
Date: Fri, 22 Jul 2011 14:19:44 -0500
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <4E29BB59.90907@eurobjects.com>
References: <4E274B2E.7080205@eurobjects.com> <20110720215205.GH5855@dan.olp.net> <4E27BE40.4000908@stroeder.com> <4E27DC7A.4030001@eurobjects.com> <20110721192356.GA5077@dan.olp.net> <4E29BB59.90907@eurobjects.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On 22/07/11Â21:03Â+0300, Nick Milas wrote:

On 21/7/2011 10:23 ÎÎ, Dan White wrote:
A simpler approach, and one that works with non-SASL binds, would be to
configure pass-through authentication and perform saslauthd/kerberos5
authentication. As users change their passwords (against your kerberos
server, via some unspecified process), you could replace theiruserPasswordentries with {SASL}user@realm (as described in the Admin guide) anddo away
with hashed password entries altogether.
If I follow this model, according to the documentation:

  "Where an entry has a "{SASL}" password value, OpenLDAP delegates
  the whole process of validating that entry's password to Cyrus SASL."
Supposing that we configure SASL to use Kerberos5 authentication,will our current standard applications (Postfix, Dovecot, Shibboleth,Apache etc.) need to be configured to include GSSAPI SASL method?


No. However if Postfix, or other daemons which link against cyrus sasl,
happens to be using saslauthd to authenticate users, then changing
saslauthd to use the kerberos5 backend will affect how those daemons
authenticate users as well. If that's the case, you could run two saslauthd
daemons, each with their own backend, which will require a custom
saslauthd_path configuration in one of your sasl .conf files.

If your intention is to eventually authenticate directly to slapd/postfix
using SASL GSSAPI binds (rather than simple pass-through binds),
then you can 'turn on' GSSAPI piecemeal wise in each of your daemons (with
your mech_list config).

As an example, Postfix uses Dovecot SASL to authenticate clients(PLAIN method), and is configured to check their identity/passwordagainst LDAP (User+Password - No SSL here because it's running on thelocal box). I guess Postfix will need to include GSSAPI to SASLmethods ?


Since your Postfix is compiled again Dovecot, any changes made to saslauthd
should not affect Postfix. The fact that Postfix uses Dovecot to
authenticate, against OpenLDAP, which in turn potentially authenticates
against saslauthd/kerbero5 should all be transparent to Postfix and
Dovecot.

In effect: Authentication for a user (hosted in LDAP) will fail in anapplication which (uses LDAP for user/password backend and) is notSASL-enabled or it is SASL-enabled but does not include/support theGSSAPI method, if the user has a "{SASL}user@realm" userPasswordattribute value?


pass-through authentication only works with non-sasl binds. Any process
which authenticates to your slapd server via this method should be ignorant
of the fact that sasl is ultimately being used on the backend, and does not
need to support SASL itself.

If you have a client authenticating against slapd/postfix using SASL GSSAPI
binds, the userPassword entry is ignored.

--
Dan White

References:
- Kerberos with LDAP backend: password sync
  - From: Nick Milas <nick@eurobjects.com>
- Re: Kerberos with LDAP backend: password sync
  - From: Dan White <dwhite@olp.net>
- Re: Kerberos with LDAP backend: password sync
  - From: Michael Ströder <michael@stroeder.com>
- Re: Kerberos with LDAP backend: password sync
  - From: Nick Milas <nick@eurobjects.com>
- Re: Kerberos with LDAP backend: password sync
  - From: Dan White <dwhite@olp.net>
- Re: Kerberos with LDAP backend: password sync
  - From: Nick Milas <nick@eurobjects.com>

Prev by Date: Re: Kerberos with LDAP backend: password sync
Next by Date: retry: counter not reaching zero, continuing on
Index(es):
- Chronological
- Thread