[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap, kerberos and authorization by group membership



On 03/15/13 21:26 -0400, brendan kearney wrote:
please excuse my ignorance, as i am still learning.  i have started working
with mit kerberos 5 and openldap.  i have the krb5 database in ldap, have
several principals created, can can authenticate using kerberos.  what i
would like to accomplish is authorization based on group membership.  i am
unclear on how to do this, and if this requires the use of SASL (via the
cyrus-sasl packages).  am i able to create a groupofnames object, populated
with kerberos principals and accomplish authorization by checking for
membership of that groupofnames?  the scenario is mod_auth_kerb implemented
in httpd, or access control via acl in squid.  based on group membership,
certain functionality or access would be given to authenticated users.  i
have read and re-read the guide included with openldap, but am still
unclear about what is needed.  Below is some info about versions, etc...
thank you in advance for any guidance.

In my experience, authorization is not a standardized concept, even among
servers that support sasl, ldap, and/or kerberos authentication.

In general, approaches which are most likely to bear fruit:

unix group membership
=====================

Install an ldap nss module on the server, and add objectClass posixGroup to
your group entries. Specify "member: <user_id>" for each member of the
group. Find out if a given server (such as squid) supports such authorization,
either by way of a getgrent system call (such as with openssh), or via some
pam group module during authentication.

RADIUS (freeradius ldap backend)
================================

If the server supports radius authentication, then you have flexibility in
granting authentication based on an ldap attribute or ldap group membership,
by way of it's ldap backend module.

pam ldap module
===============

If the server supports pam authentication, then use an ldap pam module
(nssov, pam-nss-ldapd, or pam_ldap) to grant authentication based based on
an ldap attribute or ldap group membership.

I'm not aware of a way to grant authorization solely by using kerberos.

--
Dan White