[Date Prev][Date Next]
RE: Kerberos + LDAP + Cyrus-SASL woes
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Adam Tauno
> > What we have so far:
> > A working LDAP server that we can bind to and query.
> > A working kerberos KDC that is issuing tickets.
> > A PAM setup that has moved the UNIX authentication
> > (/etc/passwd) into LDAP.
> > The final product would provide central user authentication (the
> > Kerberos KDC) and user account management (LDAP), thus
> providing many of
> > the services of a Windows Active Directory server.
There is far more required than this if you actually want to replace AD.
> What we
> are stuck on
> > is not so much a configuration or software issue as it is a
> > snag. Where should Kerberos tickets (and possibly keytabs)
> be stored to
> > interoperate with LDAP? How is LDAP supposed to contact the KDC and
> > receive a ticket?
An LDAP server never needs to request a ticket. Only clients need tickets. An
LDAP client would use SASL/GSSAPI in this case, which obtains a service
> The LDAP server must have a service ticket in it's keytab.
> That keytab can be wherever you want; it is specified in slapd.conf.
A keytab stores keys, not tickets. The difference is quite significant; a
ticket is a short-lived piece of authentication data, a key is long-lived and
is the equivalent of a plaintext password (and must be protected as well as a
> Perhaps you should look at Heimdal, where you can store the principal
> database in the DSA itself.
Agreed. Symas can provide you with a Heimdal build fully integrated with our
> > Is the user supposed to run kinit -f upon login?
> Eh? PAM can acquire the tickets on behalf of the user, when
> then enter
> via login, xdm, gdm, etc... The pam_krb5 module does this by default.
> You should ask questions about various services on lists specific to
> those services (admittedly the delineation of the various
> components can be a bit tough to grasp at first).
> > Our company, the OIC Group, is looking for someone who really knows
> > Kerberos and LDAP inside and out, and is willing to lend a
> hand, either
> > as a consultant, or a contract system administrator. OIC
> is willing to
> > pay for services rendered. Our only requirement is that the working
> > implementation / configuration be well-documented for
> future reference.
> > Any help / direction / guidance is greatly appreciated.
Symas Corp. offers consulting/support in this area. We've done significant
amounts of the development in all of these technologies over the years, and
our expertise is second-to-none.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support