I am using SASL/GSSAPI
to
authenticate to Kerberos from OpenLDAP. I haven't
gotten that to work
yet.
To separate and
modularize some of these services, we have three
servers: A file server running Samba; A directory server running
OpenLDAP to provide personal and group identities; and an
authentication server running Kerberos (administered by another
group). Samba connects to OpenLDAP through smbldap-tools. And
OpenLDAP connects to the Kerberos server via SASL/GSSAPI.
When someone requests a Samba logon, Samba requests an LDAP bind, which
in turn should use SASL to authenticate via Kerberos.
The connection between Samba and OpenLDAP is working swell. It is the
Kerberos connection that has me flummoxed.
Simply put, OpenLDAP with SASL2 and GSSAPI support will be running
on
one server, while the Kerberos KDC will be running on another server.
I haven't found any documents that address this not-so-wacky design.
Almost all of the docs
I found presume that I am setting up the KDC on the same server at
OpenLDAP. In my case, the KDC is administered by another group who is
willing to grant me access to Kerberos. However, none of the docs I've
found offer help in setting up SASL/GSSAPI here and
the Kerberos server elsewhere.
So when a document
says, run kadmin.local, to generate a principle, that is not
available
to me. If I can ask specifically for what I want, I might be able to
convince the kerberos administrators to do it for me, but I have to be
pretty specific about what I want.
The docs I'm referring
to are
Cyrus SASL for
System Administrators
http://www.sendmail.org/~ca/email/cyrus/sysadmin.html
OpenLDAP 2.2
Administrator's Guide - Using SASL
http://www.openldap.org/doc/admin22/guide.html#Using%20SASL
In several documents, it was
suggested that before you try
connecting OpenLDAP to Kerberos that you test to make sure your
Kerberos configuration is working. That makes a lot of sense to me.
So I want to perform a series of checks, but I don't know what those
tests might be. Here's what I would like to test:
- Can I connect to the
Kerberos server directly? (kinit)
- Is direct
authentication to the Kerberos server working?
- Am I getting returned a
proper ticket? (klist)
- Is the keytab file on
my OpenLDAP server being recognized and accepted by the Kerberos server?
- Is my machine being
authenticated as a principle? Does it need to be?
- How do I test SASL2
before getting OpenLDAP involved?
- After making changes to
my OpenLDAP config, how do I test the Kerberos connection through
OpenLDAP?
Do you have any pointers
here?
This project has been
delayed weeks and weeks while I climb and climb
up Samba, OpenLDAP, and Kerberos' very steep learning curve. So your
prompt response will be hugely helpful.
Thanks in advance,
Wes
Specifics of my configuration:
- OS: Red Hat Enterprise
4 v2.6.9
- OpenLDAP v2.2.13
- Local MIT Kerberos5
v1.3.4
- KDC: MIT Kerberos5 v?
- Cyrus SASL v2.1.19
--
Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208
|