[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: kpasswd

To: "'Allan Streib'" <astreib@indiana.edu>
Subject: RE: kpasswd
From: "Howard Chu" <hyc@highlandsun.com>
Date: Thu, 16 Oct 2003 15:57:59 -0700
Cc: "'Frank Swasey'" <Frank.Swasey@uvm.edu>, "'Paul M Fleming'" <pfleming@siumed.edu>, "'Allan E Johannesen'" <aej@WPI.EDU>, <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <2D5F9734-0016-11D8-B9A5-000393033826@indiana.edu>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Allan Streib

> On Thursday, October 16, 2003, at 01:34 PM, Kurt D. Zeilenga wrote:
>
> > Like {KERBEROS}, {SASL} does not require clients to have support
> > for SASL nor Kerberos.
>
> Well that sounds interesting.  I went back through the archives and
> looked for {SASL}, and also checked in the doc/ directory of the
> openldap source distribution (found nothing there...).
>
> I gather from what I've read in the archives that I would need to run
> saslauthd on the ldap server (with the '-a kerberos5' option ??), and
> then set the appropriate userPassword attribute value to
> {SASL}principal ??  Is there more to it, or did I miss some docs
> elsewhere?

That's all there is to it.

The better way to do this is to use a Heimdal KDC that uses LDAP for its
backing store. In terms of computing overhead, this is the most efficient
because it doesn't require the creation of a useless ticket during an LDAP
Simple Bind. (The KDC must store the user's Kerberos key in
userPassword:{KRB5KEY}xxxxxx, and the slapd must have Krb5Key_check/hash
routines that perform the proper string_to_key hash for Bind comparison.)

The current {KERBEROS} scheme has a lot of overhead because the slapd
essentially performs a kinit on behalf of the user, generating a TGT which
must be disposed of. The same is true of {SASL} when saslauthd is plugged
into Kerberos, except that saslauthd is the process with all the extra
tickets lying around. Neither of these schemes works well for a heavily
accessed slapd, while the approach I outlined above is extremely fast.

Also, there is no special support for multiple ticket caches, so if you
happened to be running slapd with its own ticket, that ticket will be trashed
when a Simple Bind using {KERBEROS} password occurs.

Basically, if your site truly has a use for Kerberos, then the {KERBEROS}
scheme is going to bite you, one way or another.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: kpasswd
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: kpasswd
  - From: Allan Streib <astreib@indiana.edu>

References:
- Re: kpasswd
  - From: Allan Streib <astreib@indiana.edu>

Prev by Date: RE: slapindex utility and selective indexing
Next by Date: Problems migrating from NIS
Index(es):
- Chronological
- Thread