[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and kerberos integration

On Thursday, 9 December 2010 21:42:46 Thierry Lacoste wrote:
> Hello,
> I'm experimenting with integrating Kerberos and OpenLDAP
> following roughly http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT
> I'm using CentOS and Buchan Milne's repository
> (http://staff.telkomsa.net/packages/rhel5/ )
> both for OpenLDAP and Heimdal.
> I've almost succeeded except for password integration.
> It seems that the smbk5pwd module provided by openldap2.4-
> servers-2.4.22-1.el5
> in /usr/lib/openldap2.4/smbpwd.so is built without kerberos support.

In Mandriva, the Kerberos implementation in the "main" repository is MIT 
Kerberos, while Heimdal is in contrib. As OpenLDAP is in main, it cannot 
depend on Heimdal, so by default we build smbk5pwd as smbpwd.so without 
Heimdal support, while we have a separate openldap-smbk5pwd package (providing 
smbk5pwd.so) in contrib which is built with Heimdal support.

However, I have had problems with this package on CentOS with my Heimdal 
packages (slapd would hang or crash on a password change on a Heimdal account 
with the module enabled), and due to problems in conjunction with ppolicy 
(krb5PasswordEnd not being updated), I don't use it myself on my CentOS 
deployment, but rather use the "use Samba passwords" feature.

> With "smbk5pwd-enable krb5" I have the following error:
> /etc/openldap2.4/slapd.conf: line 154: smbk5pwd: <smbk5pwd-enable>
> module "smbk5pwd-enable" only allowed when compiled with -DDO_KRB5.
> What is the easiest option to get a kerberos supporting smbk5pwd?

Untested (besides "it installs, it loads, slapd still runs), but built from 
the Mandriva openldap-smbk5pwd src.rpm:


1)Install ('rpm -Uvh http://staff.telkomsa.net/packages/rhel5/openldap2.4-
smbk5pwd-2.4.21-4.el5.i386.rpm' or similar)
2)Change 'moduleload smbpwd.so' to 'moduleload smbk5pwd.so'
3)Restart slapd

Please let me know if this package works for you. If not, it might be time to 
update the heimdal packages (which I didn't do earlier due to regressions in 
the "use samba passwords" feature which I recently fixed in the Mandriva 

> BTW I'd appreciate any recommandations about providing kerberos and
> LDAP authentication (with the same password) in a production setting.
> Should I use Heimdal or MIT kerberos ?

IMHO, Heimdal provides some advantages over MIT.

> If Heimdal, is it better to use OpenLDAP as a backend for Kerberos or
> let Kerberos use its native backend?

There are some minor complications using hdb_ldap, but I feel the benefits 
outweigh them.

> If OpenLDAP as a backend, is it better to use {K5KEY} as the
> userPassword or let smbk5pwd synchronize everything?

Depends on if you have any non-GSSAPI or simple-bind-to-LDAP-server-with-
master-key authentication (e.g. MSCHAPv2).