[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP (v1.2.11), Kerberos (MIT Krb5, v1.2.1) and client software

On 25 Jan 2001, Turbo Fredriksson wrote:

> I've  been having OpenLDAP/PAM  authentication for  about a  year now,
> with  very little trouble  (every now  and then  the server  dies, and
> replication isn't so auto magic I'd hoped for).
> I am now on the verge of the next big step, KERBEROS!
> What   i   would   like,  in   the   end,   is   to  have   all   this
> (OpenLDAP/Kerberos/QmailLDAP etc) as one.  That is, not two passwords,
> but one...
> Kerberos  between  the  OpenLDAP  master/replicas, kerberos  from  the
> client  machines (using pam_ldap)  to the  OpenLDAP database,  and the
> possibility to  have a 'single-sign-on' kind'a  system (using Kerberos
> tickets).
> That  is, _ALL_  communication  to the  OpenLDAP  database should  use
> Kerberos.    That    include    QmailLDAP/Controls   doing    kerberos
> authentication/encrypted communication to the OpenLDAP server.

- I have no idea how the Qmail stuff works, but I did do this
with sendmail and the older version of kerberos 4 authentication.
If you don't design it in from the beginning, you'll have
problems. There's some stuff that you need to put around the ldap
api to get a kerberos authentication that is workable. At a
minimum you need to tell it where the tgt cache is, you can do
this via env variables. That might alot more workable in the Qmail
way of doing things than in the sendmail way.

> Preferably the 'kerberosSecurityObject' objectclass (with the attribute
> 'krbName') should somehow be used in all this to...

- My understanding of how this works is that the ldap server
  takes the principal in the kerberos service ticket and compares it
  to the principals listed in krbName. This is a low budget way
  to create authority groups, multiple krbNames mapped to a
  single ldap DN. However, this knowledge is based on the older
  UMich kerberos code. It may not work the same with the newer
  SASL based code.

> * First question: IF I recompile OpenLDAP '--with-kerberos', how is the
>   kerberos authentication/encryption done? Is it up to the client software
>   to do the kerberos init?

- Yes, you have to have a valid kerberos tgt before any of the ldap
  GSSAPI sasl calls will work. For deamons this means that you need
  to have something that will manage the tgt. My approach has been to
  put the minimum possible(i.e. where is my tgt?) in the deamon and
  use an external deamon to manage keeping the tgt up to date.

> * Second question: How do I combine OpenLDAP with (MIT) Kerberos?

- What you really should be asking is

	How do I combine OpenLdap with Cyrus SASL?

  Once you do that the kerberos bit comes automagically if you've
  configured cyrus sasl correctly.

> * Third question: How do I make my client machines (from/via PAM I suppose)
>   to use kerberos to the LDAP database?

- If you have kerberos and PAM, you don't need to use ldap to
login. Kerberos alone will handle the authentication[1] part. You
may want to use ldap for authorization[2], but it's not needed
for authentication.

> * Fourth question: Since I'm doing round-robin to the LDAP database
>   (currently only one master, and one replica but more replicas are planned),
>   would that somehow disturb the 'Kerberos ticketing stuff' (sorry for the
>   use of a bad word, but I'm just starting to learn about 'this Kerberos stuff'
>   :).

- If I understand you correctly, no. Kerberos ticketing stuff
  should not cause any problems in replication. If you want to
  use kerberos for securing the replication, there's a fair bit
  of stuff you need to twiddle to keep tgt's and such active.
  I'm not sure how complete OpenLdaps's support for doing this

> Anything else that I might have overlooked, or should study closer? Is there
> some kind of (mini/micro) HOWTO/FAQ that I can take a look at to understand
> the issue(s) better?

- No, documentation for all this stuff is very minimal. I would
suggest that you start at the Cyrus SASL documentation and the
docs that come with MIT kerberos. The Ldap V3 spec is remarkly
vague about how SASL is supposed to work in ldap. I think there
have been a couple followup RFC's that attempt to put some
specifics in. You should check those as well.

- Booker C. Bense

[1]- Authentication is "Who are you?"

[2]- Authorization is "What can you do?"