Re: Openldap, kerberos backend, and SASL

[Michael Ströder <michael@stroeder.com>]

Da Rock wrote:
> Sorry to barge in straight away with a question like this, but my time
> is running out and I have not been able to get a straight answer out of
> google.
> 
> I'm going through the hypotheticals for using ldap as the backend for
> kerberos, and I've hit a chicken and egg problem with SASL- can someone
> untangle my mind?
> 
> IF kerberos is using ldap as a backend store for keys, users, etc, and
> one can set the rootdn and leave the rootpw for later entry in the
> database itself, and the password can use SASL auth- what happens if you
> use kerberos as the auth mechanism?
> 
> According to the book, slapd needs to set up the access to the key from
> startup, and kerberos in this scenario will need ldap up to provide the
> key. Is ldap up enough that kerberos can provide this? Or does ldap
> retry or something so that this problem is overcome?

Which KDC are you going to use? Why do you want to use Kerberos as authc
mech for the connection between the KDC and the LDAP backend server?

Usually one stashes the password at the KDC which does a simple bind.
There's nothing wrong with that. Also I wouldn't use the rootdn as
bind-DN for the KDC. I'd rather recommend to create service accounts and
define appropriate ACLs.

Another possibility is to use SASL/EXTERNAL for a ldapi:/// connection
(Unix domain socket) and map the Unix user to a service account for the
KDC. In this case the service account does not need a password at all.
But KDC and LDAP server have to run on the same machine for this to work.

Ciao, Michael.