[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: GSSAPI vs GSS-SPNEGO

To: Dan White <dwhite@cafedemocracy.org>
Subject: Re: GSSAPI vs GSS-SPNEGO
From: Brendan Kearney <bpk678@gmail.com>
Date: Tue, 30 Dec 2014 10:32:36 -0500
Cc: Howard Chu <hyc@symas.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:subject:from:to:cc:date:in-reply-to:references :content-type:mime-version:content-transfer-encoding; bh=t9AoXIBdf2tOl08NlrXApZ5evo7mIrfkKNBhe89Za5c=; b=qp9geM8ghz2ZN8uXR72Y2j7QqcAMqi6eEcZFFdbBZhTwgA/lOy0Dmet2G1NnrKkiBD H/24NeeVggh04om2V5TYbnsflO+0bE5dV6AE4roDHGdhX2QhIXC6oPIJI719MrfkNLh7 2JS8Sa4wA7VNCHabIOHbEWi8m65d7NQr7chMbavmOFPhZpTQkD9NKfGIcj4G2a1sT4NW 3mWzPIxfk+7W8X/rZOb5EetYc1M1EkRnA/DTlZSa92i6Ia0G12o973wCDt9s5pRpkf84 6ruArL/TAY/aX/z8Gwt7JOwgz1peBfCEVXMBEtxcM7QDlnS7e0XYvcP9F/LUiLHj9wgD oPoA==
In-reply-to: <20141229164929.GC3856@dan.olp.net>
References: <1419613817.27764.6.camel@desktop.bpk2.com> <20141226205306.GB3952@dan.olp.net> <1419696915.27764.21.camel@desktop.bpk2.com> <549F700B.5020209@symas.com> <1419783896.23227.14.camel@desktop.bpk2.com> <20141229164929.GC3856@dan.olp.net>

On Mon, 2014-12-29 at 10:49 -0600, Dan White wrote:
> On 12/28/14 11:24 -0500, Brendan Kearney wrote:
> >On Sun, 2014-12-28 at 02:50 +0000, Howard Chu wrote:
> >> Brendan Kearney wrote:
> >> > i want to use the "pass-through" auth mechanism with sasl, so that i
> >> > validate credentials against the kerberos database, and not have to
> >> > maintain passwords in multiple places.
> >
> >ok, then i have misunderstood PLAIN vs SIMPLE, it seems.  i will back up
> >and explain what i am trying to do.
> >
> >apache, dhcp and freeradius can all use ldap for various functionality.
> >they all use what i now believe to be SIMPLE auth, where they are using
> >"cn=user,dc=domain,dc=tld" as ldap usernames.  these processes are using
> >ldap for authentication, whereas i have only kerberos authentication
> >setup in my environment (and ldap authorization).  my hope was that sasl
> >could allow me to push the ldap authN request through to kerberos, and
> >in essence proxy the authentication.
> 
> This is a valid use of pass-through in my opinion, but you'll want to
> protect the authentication as Howard mentioned over ldapi:/// ideally, or
> tls otherwise.
> 
> pass-through does not require that you advertise any other sasl mechanisms,
> such as plain, since it does not involve sasl over the wire. To use, see:
> 
> http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication
> 
> Add 'pwcheck_method: saslauthd' to your libsasl slapd.conf file, and should
> need nothing else unless you're using a non standard location for your
> saslauthd mux.
> 
> Verify that your slapd user has permissions to access the saslauthd mux,
> and verify your saslauthd config with testsaslauthd.
> 

i had the pwcheck_method directive in there, along with the path to one
of two saslauthd mux's.  /var/run/saslauthd/mux and /run/saslauthd/mux,
which both show up as "srwxrwxrwx" and are owned by root:root.  testing
using testsaslauthd works with my id, but i am not sure how to have
authentication work when the other process is binding with
"cn=user,dc=domain,dc=tld" and not a username.

Follow-Ups:
- Re: GSSAPI vs GSS-SPNEGO
  - From: Dan White <dwhite@cafedemocracy.org>

References:
- GSSAPI vs GSS-SPNEGO
  - From: Brendan Kearney <bpk678@gmail.com>
- Re: GSSAPI vs GSS-SPNEGO
  - From: Dan White <dwhite@cafedemocracy.org>
- Re: GSSAPI vs GSS-SPNEGO
  - From: Brendan Kearney <bpk678@gmail.com>
- Re: GSSAPI vs GSS-SPNEGO
  - From: Howard Chu <hyc@symas.com>
- Re: GSSAPI vs GSS-SPNEGO
  - From: Brendan Kearney <bpk678@gmail.com>
- Re: GSSAPI vs GSS-SPNEGO
  - From: Dan White <dwhite@cafedemocracy.org>

Prev by Date: Re: GSSAPI vs GSS-SPNEGO
Next by Date: Re: GSSAPI vs GSS-SPNEGO
Index(es):
- Chronological
- Thread