[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Antwort: Simple binds authenticating against Kerberos [Virus checked]

>-----Original Message-----
>From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
>>But lets say the person just does a simple bind to LDAP.  Is there a way to
>>OpenLDAP to use than username and password against Kerberos to see
>>if it is valid?  It seems the OpenLDAP manual parts that I've seen don't
seem to
>> address this (to my understanding).
>Documentation for this is indeed badly lacking, but I happen to have done it
>so let's document it here. :-)

It is not documented because this practice is discouraged.

>In fact there are (at least) two ways to do it. First is by declaring the
>to be "{KERBEROS}<principal@REALM>". I have NOT tried this, but from what I
read in
>openLDAP lists, openLDAP developers dislike this method, nobody wants to
maintain it,
>and the corresponding code is therefore disabled by default, and may even be
phased out
>in the future.

Correct. The code for this has been migrated out of the core OpenLDAP
libraries and into the contrib section, where it will hopefully die an
ignominious death.

>Second possibility is to use SASL/GSSAPI. This means that you need to get
>LDAP+SASL/GSSAPI + Kerberos working first.

There is nothing to be gained from getting SASL/GSSAPI working when your goal
is to perform Simple Binds. The two code paths are completely different;
having one work gives you absolutely zero guarantee that the other will work.

Aside from that caveat, the following description appears accurate.

>Up to now, all these steps are (more-or-less) well documented, and I presume
you got the >system working so far. Now comes the funny, and not very well
documented part:
>1) saslauthd: This is a demon that takes username/password combination on
the one side, >checks them against (in our case) kerberos server, and gives
back a "OK/not OK" type of >response to program that requested the auth.
check in the first place.
>2) openLDAP is able to "forward" the authentication requests to saslauthd.
>Configuration looks like this:
>* In LDAP tree, you have to set "userPassword" entries to:
>         {SASL}<principal>@<REALM>
>* saslauthd must be started with "kerberos5" as authentication mechanism. In
>Linux (and probably in RH too), this means defining the
>        SASL_AUTHMECH="kerberos5" in /etc/sysconfig/saslauthd
>(Defining a SASLAUTHD_OPTS="-c"  may help with the performance, but can be
done later)
>* Finally, you also need a /usr/lib/sasl2/slapd.conf file with
>        pwcheck_method: saslauthd
>Disclaimer: I'm still experimenting with this, haven't fully documented the
>yet, and have major performance and reliability problems at this moment, but
to the best
>of my knowledge that's all you need to get simple bind against kerberos DB
once the
>SASL/GSSAPI binds work correctly.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support