Re: Authenticate to ldap using Kerberos

[Russ Allbery <rra@stanford.edu>]

Wouter van Marle <wouter@squirrel-systems.com> writes:

> It seems currently the ldap implementation of evolution is blamed, which
> is something I can not agree with.

> At this moment, I can connect to my ldap server from Evolution,
> authenticated. I have to enter a username and a password in my evo
> settings, which one way or another is communicated to openldap, which
> then checks this un/pw combo and considers it valid to give the
> information.

If you are using Kerberos, you should never have to enter your username
and password into anything that isn't kinit or your initial authentication
to your system.  If you do, that something is broken and is not using
Kerberos properly.  Period.

That's what people are trying to tell you.

Now, there are various other ways of using Kerberos as a password
verification service, which is what you apparently want to do because
that's what Evolution requires.  That's fine, if that's what you want to
do.  But that doesn't mean that Evolution is working properly.  It's not.
It isn't supporting Kerberos properly for LDAP lookups, and that's a bug
in Evolution.  And anyone who understands Kerberos is going to tell you
the same thing.

Entering your password into applications and, particularly, having those
applications send your Kerberos password over the network as Evolution is
doing is DEFEATING THE WHOLE POINT of Kerberos.

> Now basically the problem is that ldap is using the wrong authentication
> type. Wrong as in not the one that I want it to use. It is using it's
> own, internal authentication - this I want to change to an external
> system. It seems I need something like you guys call 'pass-through
> authentication'. And what I learnt over the last year or so when I
> looked more into this and related matter, Linux provides sasl and pam as
> general authentication libs, designed exactly for this purpose. Sasl and
> pam even can talk to each other.

No.  This is not correct.

SASL is what you do when you implement Kerberos properly.  Evolution is
not doing this.  It's either implementing a broken version of SASL where
it only implements a single mechanism (PLAIN), or it's actually not doing
SASL at all (most likely).  The problem is exactly that Evolution is not
properly implementing Kerberos SASL mechanisms.

PAM is indeed a way to verify passwords, but it has nothing to do with
SASL except in the very limited special case that there is one SASL
mechanism that communicates a password to the server, and once the
password is on the server, you might want to use PAM to check it.  PAM is
not a network protocol; PAM is a way of plugging together password
verification systems on a local system and was really designed for either
console login or remote authentication that requires a password (such as
ssh without any Kerberos support).  If you have Kerbeors and yet you're
resorting to using it with network services like LDAP, that means your
client software (in this case Evolution) is crappy and broken.

Sadly, lots of client software is crappy and broken, so this is not an
uncommon thing to have to do, but that doesn't make Evolution any less
broken.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>