[Date Prev][Date Next]
RE: Kerberos and LDAP account creation
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Anthony Brock
> A question the Kerberos - SASL - LDAP integration specialists out there.
> Does LDAP have any provision for synchronizing creation/deletion of
> accounts? Specifically, if I need add and delete 400-500 students every 2
> or 3 months, do I have to make direct calls to BOTH the Kerberos AND the
> LDAP servers, or can I automate the creation and deletion as I add and
> delete the accounts within LDAP?
If you have a choice of Kerberos packages, I recommend using Heimdal with
its LDAP-backend. This is the preferred configuration that we at Symas have
been deploying for our customers. With this setup the Kerberos KDC's account
database is stored in LDAP so there is no separate synchronization step
required. It's a little tricky to get everything built properly because
is a circular dependency in the libraries. (OpenLDAP depends on SASL, SASL
depends on KRB5, and KRB5 depends on OpenLDAP...) However, after you get
past this hurdle it all works pretty well. Deployment pretty much requires
that the KDC and the master LDAP server are co-resident on one machine,
using the ldapi
(Unix domain socket) method. Otherwise the overhead gets a bit high. Also if
you have the KDC and slapd on separate machines, you need to secure the
connection between them. I don't think it's a good idea to use SASL/GSSAPI
for that purpose, although TLS and SASL/EXTERNAL should be OK.
(Think of the sequence of transactions - user does kinit, asks KDC for TGT.
KDC contacts slapd to look up user. If you're trying to use SASL/GSSAPI
here, that means the KDC has to ask itself for a service ticket to contact
slapd, which is
a bit weird. I don't recall if the Heimdal KDC is re-entrant in this
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support