[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authenticate to ldap using Kerberos
On Thu, 2010-09-09 at 23:02 -0500, Dan White wrote:
> On 09/09/10 20:05 -0700, Russ Allbery wrote:
> >Wouter van Marle <wouter@squirrel-systems.com> writes:
> >> At this moment, I can connect to my ldap server from Evolution,
> >> authenticated. I have to enter a username and a password in my evo
> >> settings, which one way or another is communicated to openldap, which
> >> then checks this un/pw combo and considers it valid to give the
> >> information.
> >
> >If you are using Kerberos, you should never have to enter your username
> >and password into anything that isn't kinit or your initial authentication
> >to your system. If you do, that something is broken and is not using
> >Kerberos properly. Period.
>
> So if the poster had stated that he wanted to perform PAM authentication
> for his simple binds, I don't think he'd be confronted with such a violent
> reaction. However, from the standpoint of slapd, that's exactly what he's
> wanting to do.
Which is indeed what I have now slowly found out. I'm not an expert in
openldap or security; in the end I just want it to work. And
unfortunately evolution doesn't support all possible protocols; which is
of course why other applications try to support as many as possible, to
at least and up with one match.
Now Evolution can talk to openldap, and can authenticate, which is why I
can't call it "broken". Maybe it could be done better, maybe there are
newer protocols. But it's not broken in the sense of "doesn't work".
On top of that as long as it's on my own LAN, not out over the Internet,
I'm not worried about using plain passwords over unencrypted
connections. If an attacker manages to start sniffing passwords off of
my LAN (which is physically inside my office; all wired) then I have
worse security issues to worry about.
> Performing simple binds have precisely the same negative security footprint
> regardless of where his passwords may be stored. I'm assuming Evolution
> supports ldaps or STARTTLS,
Evolution does support encryption using TLS and SSH connections (that is
how it's called in the settings). And if I understand everything well
then plain authentication using one of those protocols is still pretty
secure.
Wouter.
> which would go a long way in mitigating that
> risk. If it didn't support TLS, I'd think that'd be a much more urgent
> focus (GSSAPI only provides 56 bits of encryption).
>
> >> Now basically the problem is that ldap is using the wrong authentication
> >> type. Wrong as in not the one that I want it to use. It is using it's
> >> own, internal authentication - this I want to change to an external
> >> system. It seems I need something like you guys call 'pass-through
> >> authentication'. And what I learnt over the last year or so when I
> >> looked more into this and related matter, Linux provides sasl and pam as
> >> general authentication libs, designed exactly for this purpose. Sasl and
> >> pam even can talk to each other.
>
> At this point, I'd agree with the above.
>
> >No. This is not correct.
>
> >SASL is what you do when you implement Kerberos properly. Evolution is
> >not doing this. It's either implementing a broken version of SASL where
> >it only implements a single mechanism (PLAIN), or it's actually not doing
> >SASL at all (most likely). The problem is exactly that Evolution is not
> >properly implementing Kerberos SASL mechanisms.
>
> Would you agree that any application which does not support the full range
> of SASL mechanisms is broken? What about simple binds? Would you suggest
> that OpenLDAP remove all support for simple binds? If not, why not?
>
> >PAM is indeed a way to verify passwords, but it has nothing to do with
> >SASL except in the very limited special case that there is one SASL
> >mechanism that communicates a password to the server, and once the
> >password is on the server, you might want to use PAM to check it. PAM is
> >not a network protocol; PAM is a way of plugging together password
> >verification systems on a local system and was really designed for either
> >console login or remote authentication that requires a password (such as
> >ssh without any Kerberos support). If you have Kerbeors and yet you're
> >resorting to using it with network services like LDAP, that means your
> >client software (in this case Evolution) is crappy and broken.
>
> Most protocols have support for legacy (pre-SASL) authentication. IMAP has
> login, POP has user/pass, LDAP has simple binds. (SMTP being one exception
> to this).
>
> In an ideal world we could just do away with all software that only
> has support for legacy authentication, but that'd break a good chunk of the
> ISP services I help to maintain. I'm not really a big fan of that.
>
> >Sadly, lots of client software is crappy and broken, so this is not an
> >uncommon thing to have to do, but that doesn't make Evolution any less
> >broken.
>