Re: Openldap, kerberos backend, and SASL

[Da Rock <rock_on_the_web@comcen.com.au>]

On Wed, 2009-03-04 at 11:15 -0800, Troy Knabe wrote:
> We are starting to work towards implimenting this very solution.  Is  
> there any documentation you have found to be particularly helpful?
> 
> Thanks
> -Troy
> 

Well for starters most of the howtos on the net are shoddy and appear
thrown together- even PADL. What concerns me is these sites show others
how to do things (by experts in some cases) and the security doesn't
appear as high a priority as it should be. PADL for instance recommend
opening the ldapi socket to any writes and changes in their ACL. In some
cases its simply a matter of "too hard to think further" on the issues.

The Heimdal docs are security conscious (naturally), but there is no
direct "howto" in there, and the references are very piecemeal and
appear incomplete (for instance they use hdb.schema, and say its in the
source code- which source? Openldap or Heimdal? At any rate I couldn't
find it in either. PADL have a similar problem with krb5-kdc.schema).

Openldap has a good documentation project, but they have no idea of the
Heimdal implementation (not to blame with Heimdal not even sure either).
References on SASL and ACLs are very good, but one needs to really
understand what is really happening first (I didn't know too much about
directory services and have only studied and learnt on my own)- perhaps
some more examples (in a separate document maybe?) of what a newbie
could understand (use figures- makes more sense that way. Screenshots,
diagrams...) of what ldap is and does/is capable of?

Unless you really sat down (as a complete and utter greenhorn) and read
between the lines like I did you'd never understand that ldap can handle
several directories/database simultaneously with different access
controls etc.

I like the documentation project you have running and if I can get the
time (once I master this beast!) I'd like to help here.

I have digressed here, but in short outside of your own docs and Heimdal
I don't think any material on the net is really useful at all. Everybody
claims to be an expert, but haven't offered that level of advice.
Everyone who is an expert has kept very tight lipped on something which
is obviously a security risk and a money spinner for their own
interests. Perhaps instead we should compare notes and implement it
ourselves?

> 
> On Mar 4, 2009, at 2:30 AM, Da Rock wrote:
> 
> > Sorry to barge in straight away with a question like this, but my time
> > is running out and I have not been able to get a straight answer out  
> > of
> > google.
> >
> > I'm going through the hypotheticals for using ldap as the backend for
> > kerberos, and I've hit a chicken and egg problem with SASL- can  
> > someone
> > untangle my mind?
> >
> > IF kerberos is using ldap as a backend store for keys, users, etc, and
> > one can set the rootdn and leave the rootpw for later entry in the
> > database itself, and the password can use SASL auth- what happens if  
> > you
> > use kerberos as the auth mechanism?
> >
> > According to the book, slapd needs to set up the access to the key  
> > from
> > startup, and kerberos in this scenario will need ldap up to provide  
> > the
> > key. Is ldap up enough that kerberos can provide this? Or does ldap
> > retry or something so that this problem is overcome?
> >
> > Thoughts?
> >
> > Cheers
> >
>