[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Kerberos + LDAP + Cyrus-SASL woes

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Adam Tauno

> > What we have so far:
> > 	A working LDAP server that we can bind to and query.
> > 	A working kerberos KDC that is issuing tickets.
> > 	A PAM setup that has moved the UNIX authentication
> >      (/etc/passwd) into LDAP.
> >
> > The final product would provide central user authentication (the
> > Kerberos KDC) and user account management (LDAP), thus
> providing many of
> > the services of a Windows Active Directory server.

There is far more required than this if you actually want to replace AD.

>  What we
> are stuck on
> > is not so much a configuration or software issue as it is a
> conceptual
> > snag.  Where should Kerberos tickets (and possibly keytabs)
> be stored to
> > interoperate with LDAP?  How is LDAP supposed to contact the KDC and
> > receive a ticket?

An LDAP server never needs to request a ticket. Only clients need tickets. An
LDAP client would use SASL/GSSAPI in this case, which obtains a service
ticket automatically.

> The LDAP server must have a service ticket in it's keytab.
> That keytab can be wherever you want; it is specified in slapd.conf.

A keytab stores keys, not tickets. The difference is quite significant; a
ticket is a short-lived piece of authentication data, a key is long-lived and
is the equivalent of a plaintext password (and must be protected as well as a

> Perhaps you should look at Heimdal, where you can store the principal
> database in the DSA itself.

Agreed. Symas can provide you with a Heimdal build fully integrated with our
OpenLDAP build.

> > Is the user supposed to run kinit -f upon login?

> Eh?  PAM can acquire the tickets on behalf of the user, when
> then enter
> via login, xdm, gdm, etc...  The pam_krb5 module does this by default.


> You should ask questions about various services on lists specific to
> those services (admittedly the delineation of the various
> components can be a bit tough to grasp at first).
> > Our company, the OIC Group, is looking for someone who really knows
> > Kerberos and LDAP inside and out, and is willing to lend a
> hand, either
> > as a consultant, or a contract system administrator.  OIC
> is willing to
> > pay for services rendered.  Our only requirement is that the working
> > implementation / configuration be well-documented for
> future reference.
> > Any help / direction / guidance is greatly appreciated.

Symas Corp. offers consulting/support in this area. We've done significant
amounts of the development in all of these technologies over the years, and
our expertise is second-to-none.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support