[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos

To: openldap-technical@openldap.org
Subject: Re: Authenticate to ldap using Kerberos
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Wed, 08 Sep 2010 20:26:14 +0200
In-reply-to: <207bd0ddd5679c08fda7f7b3a0c606e5@squirrel-systems.com> (Wouter van Marle's message of "Wed, 8 Sep 2010 22:53:27 +0800")
References: <207bd0ddd5679c08fda7f7b3a0c606e5@squirrel-systems.com>
User-agent: Gnus/5.1008 (Gnus v5.10.8) XEmacs/21.5-b29 (linux)

Wouter van Marle <wouter@squirrel-systems.com> writes:

> Hi group,
>
> I have been fighting the whole day already for something that I think
> is quite simple but I just can't get it to work: have slapd
> authenticate users against kerberos. Following many tutorials, trying
> many things, I give up on that and ask for your help.
>
> System: Debian Lenny.
>
> Situation:
> - workstation logins over the network authenticate against kerberos
> - credentials from LDAP
> - postfix has its alias database etc in LDAP, as are the groups and
> userIDs and everything - helps keeping uids the same on the
> workstations. Essential for NFS.
> - anything using pam will be authenticated against kerberos, including
> imap, postfix, etc.
>
> Except LDAP. Then slapd authenticates by itself against the password
> stored there. And that's not what I want. There should be no passwords
> in LDAP any more, everything against kerberos. Then at least when a
> user changes their kerberos password, the same password is used
> everywhere. I just can't get this to work for some reason. I have
> followed many tutorials, so many that I forgot what I did, and it
> still doesn't work.
>
> Slapd should use pam to authenticate, or directly talk to the kerberos
> server, whatever.
>
> saslauthd has the gssapi module installed.

[...]

Why did you design such a complicated setup?
postfix supports sasl mechanism GSSAPI,
openldap supports sasl mechanism GSSAPI,
cyrus-imap supports sasl mechanism GSSAPI,
ssh supports GSSAPI,
pam login should use unix2 which supports GSSAPI.

saslauthd is not required, nor is a userpassword attribute value
required in DIT.
Just setup a proper kerberos V5 environment, create service principals,
host pricipals and user principals, and configure clients to use
either native krb5 implementation or GSSAPI mechanism.

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de 
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6

References:
- Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>

Prev by Date: Re: Authenticate to ldap using Kerberos
Next by Date: Keep alive functionality when the remote closes the conenction due idle
Index(es):
- Chronological
- Thread