[Date Prev][Date Next] [Chronological] [Thread] [Top]

Antwort: Simple binds authenticating against Kerberos [Virus checked]

>But lets say the person just does a simple bind to LDAP.  Is there a way to tell OpenLDAP to use than username and password against Kerberos to see >if it is valid?  It seems the OpenLDAP manual parts that I've seen don't seem to address this (to my understanding).

Documentation for this is indeed badly lacking, but I happen to have done it recently, so let's document it here. :-)
In fact there are (at least) two ways to do it. First is by declaring the userPassword to be "{KERBEROS}<principal@REALM>". I have NOT tried this, but from what I read in openLDAP lists, openLDAP developers dislike this method, nobody wants to maintain it, and the corresponding code is therefore disabled by default, and may even be phased out in the future.

Second possibility is to use SASL/GSSAPI. This means that you need to get LDAP+SASL/GSSAPI + Kerberos working first. I'm not going to document all the details here, but it generally goes as:

1) get the LDAP working with simple bind
2) get the LDAP working with simple bind over secure connection.

Vincent Danens documentation on MandrakeSecure.net is quite helful in this part.

3) Get the kerberos working. If you can do "kinit", and use some kerberised service, you are doing fine.4) Get the LDAP working with SASL/GSSAPI. You'll know that it works well when things such as "ldapwhoami" work correctly.
Personally I experimented by letting EVERYONE read the LDAP tree first, and then finally assured that kerberos principals get associated to right LDAP users by adding a simple "sasl-regexp" entry in the slapd.conf file.

Up to now, all these steps are (more-or-less) well documented, and I presume you got the system working so far. Now comes the funny, and not very well documented part:

1) saslauthd: This is a demon that takes username/password combination on the one side, checks them against (in our case) kerberos server, and gives back a "OK/not OK" type of response to program that requested the auth. check in the first place.
2) openLDAP is able to "forward" the authentication requests to saslauthd.

Configuration looks like this:

* In LDAP tree, you have to set "userPassword" entries to:


* saslauthd must be started with "kerberos5" as authentication mechanism. In Mandrake Linux (and probably in RH too), this means defining the

        SASL_AUTHMECH="kerberos5" in /etc/sysconfig/saslauthd

(Defining a SASLAUTHD_OPTS="-c"  may help with the performance, but can be done later)

* Finally, you also need a /usr/lib/sasl2/slapd.conf file with

        pwcheck_method: saslauthd

Disclaimer: I'm still experimenting with this, haven't fully documented the procedure yet, and have major performance and reliability problems at this moment, but to the best of my knowledge that's all you need to get simple bind against kerberos DB once the SASL/GSSAPI binds work correctly.

hope this helps