Re: Kerberos + OpenLDAP help needed.

• Previous message: Callum D. Campbell: "Re: FW: Linux and firewall load balancing"
• In reply to: Andrew Cooks: "Kerberos + OpenLDAP help needed."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 23 Sep 2003 11:18:05 -0700
To: focus-linux@securityfocus.com

On Thu, Sep 18, 2003 at 12:08:35PM +0200, Andrew Cooks wrote:
> Has anyone on the list played/worked with Kerberos + LDAP before?
>
> I'm trying to setup Samba 3 + OpenLDAP + Kerberos, but I can't figure out
> the exact relationship between the OpenLDAP db and Kerberos db.
  Use OpenLDAP to store the information you care about. All Kerberos does
is provide authentication, aka, prove they are who they say they are. Krb
stores the passwords and makes sure they never travel across the wire.

  With OpenLDAP you can add the krb5Principal objectclass and a
krb5PrincipalName attribute to your users to allow them to use the
credentials they get from Kerberos to bind to the tree and change stuff.
Note this is not the krb password, but a krb ticket. If you want to allow
people to bind to the tree with their passwords directly you need to set
their password to something like {KRB5}principal@REALM and I belive OpenLDAP
will do the run around to verify their password agains't kerberos. This is
highly discouraged as it breaks the Kerberos ideal of never sending the
password over the wire, even encrypted.

  Oh, yeah, the ldap server will need a principle too, ldap/hostname,
stored in a keytab.

  Confused yet?

> I've read all the (Mit) Kerberos V docs, official Samba3 docs and most of
> the OpenLDAP docs, as well as plenty of googling.
  Been there, done that. They suck don't they? I found this one the most
useful, but still not quite up to date.
http://www.bayour.com/LDAPv3-HOWTO.html. The bug in the Debian SASL package
is still there, but the syntax he gives for Krb ACL entries is off.
"by dn="uid=USERNAME.*\*realm=REALM" write" works for me with OpenLDAP 2.1.

  - Nick Lopez
    spamtrap@glowingmonkey.org

  -- Randomly selected signature --
< ket> My country tis a freak, sweet land of anarchy, of thee I scream.

• Previous message: Callum D. Campbell: "Re: FW: Linux and firewall load balancing"
• In reply to: Andrew Cooks: "Kerberos + OpenLDAP help needed."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Samba authentication to Kerberos via OpenLDAP, third and last try ... I've also set up an authentication connection between Samba and OpenLDAP, ... The challenge is that these are two methods allow Samba to authenticate via OpenLDAP and allow OpenLDAP to authenticate via Kerberos, they are really intended for different purposes. ... (comp.protocols.kerberos) Re: Samba authentication to Kerberos via OpenLDAP, third and last try ... what you're looking for is SASL authd support in OpenLDAP. ... Assuming you've built OpenLDAP with the --with-spasswd option, ... This is all OpenLDAP and SASL, though, not Kerberos. ... I know I can do Kerberos authentication directly from Samba, ... (comp.protocols.kerberos) Re: Help with SASL/GSSAPI to remote Kerberos server ... servers: A file server running Samba; ... OpenLDAP to provide personal and group identities; ... Kerberos server via SASL/GSSAPI. ... (comp.protocols.kerberos) Re: Help with SASL/GSSAPI to remote Kerberos server ... another group who is willing to grant me access to Kerberos. ... and the Kerberos server elsewhere. ... On OpenLDAP server in slapd.conf: ... KDC: MIT Kerberos5 v? ... (comp.protocols.kerberos)