[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Very quick pointer

To: openldap-technical@openldap.org
Subject: Re: Very quick pointer
From: Tim Watts <tw@dionic.net>
Date: Tue, 29 May 2012 07:46:44 +0100
In-reply-to: <4FC40370.6060000@net.t-labs.tu-berlin.de>
References: <4FC3DF52.9080700@dionic.net> <4FC40370.6060000@net.t-labs.tu-berlin.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1

On 29/05/12 00:00, Bernd May wrote:

Hey,

On 05/28/2012 10:25 PM, Tim Watts wrote:

1) Rig OpenLDAP so all password changes get sent to the kerberos
server but do not use it for authentication. In the meantime we will
continue authenticate with the SSHA1 hashes in the user's LDAP
entry.

The usual way to do this on most *nix systems is to actually 'rig' the
PAM. In debian for example you setup your /etc/pam.d/common-password to
contain something like:

password   sufficient pam_krb5.so ignore_root
password   required   pam_unix.so nullok obscure min=4 max=8 sha256
use_first_pass

this sets up most of your tools to use the right modules when changing
the password, e.g. 'passwd'.


Hi Brend,

Thanks for the reply.

Unfortunately there's a problem with that - the user would need theirold kerberos password before they could initiate a change and in thiscase, their old kerberos password is unknown because Kerberos has onlyjust existed.

I do not know if you could do something like 'referring' a password
change request from the OpenLDAP server to the kerberos server but since
this would be an invitation von mitm attacks I doubt it.


It will be a bit of a pity in this case if it's not possible :(

When using password hashes in the user entry, does slapd receive theplaintext password or does the client generate the hash?

If slapd does not have a mechanism specifically for forcing (priming)kerberos servers, does it have a password change hook?

Otherwise, I am going to have to provide a special password changeservice somewhere - probably web based or something.

Or crack all the LANMan hashes I found in the original LDAP server!(Just joking).

2) After some time (months) when everyone has eventually done a
password change, the Kerberos server will be well enough in sync. Now
I would like to switch OpenLDAP to using kerberos on the backend (ie
for binds etc) and I will purge the SSHA1 hashes.


We successfully auth against kerberos with our LDAP, you might be
interested in reading the SASL section of man slapd-config. Make sure
you ahve compiled your OpenLDAP with SASL support and have successfully
kerberized your server.


Thanks! That sounds good :)

happy configuration party :)


All the best,

Tim
--
Tim Watts
Personal Blog: http://www.dionic.net/tim/

Follow-Ups:
- Re: Very quick pointer
  - From: Tim Watts <tw@dionic.net>
- Re: Very quick pointer
  - From: Christian Manal <moenoel@informatik.uni-bremen.de>

References:
- Very quick pointer
  - From: Tim Watts <tw@dionic.net>
- Re: Very quick pointer
  - From: Bernd May <bernd@net.t-labs.tu-berlin.de>

Prev by Date: Re: Very quick pointer
Next by Date: Re: Very quick pointer
Index(es):
- Chronological
- Thread