KDC with openldap backend, ldap replication, can it chase referrals?

[Dan Mahoney (Gushi)]

On Wed, 15 Apr 2020, Andreas Hasenack wrote:

> Hello,
>
> On Wed, Apr 15, 2020 at 1:54 AM Greg Hudson <ghudson at mit.edu> wrote:
>>
>> On 4/14/20 3:34 PM, Andreas Hasenack wrote:> Can mit kerberos (1.17 for
>> the purpose of this conversation) using the
>>> openldap backend (kldap) chase ldap referrals when it tries to write
>>> to an openldap replica, which is read-only?
>>>
>>> In other words, can I list both the openldap primary and its read-only
>>> replica in krb5.conf's ldap_servers parameter?
>>
>> I don't believe we support this.  This came up a number of years ago:
>>
>> https://krbdev.mit.edu/rt/Ticket/Display.html?id=7754

I may have asked this in the past, but I'll ask it again since LDAP came 
up.  We have an existing Kerberos domain, but we don't use LDAP at all (we 
just use puppet to handle things like user creation on servers.

Specifically, we don't do active directory for any client workstations and 
don't run windows in general -- our users own their own machines, so 
there's no tie-in.  It's hundreds of servers, probably ~30 users.

I see a way to do kerberos with an LDAP backend, but not the opposite. 
I'd like to "Add" openLDAP to my existing KDC, or deploy openLDAP but have 
it use the KDB for authentication.  (Where openLDAP would continue to do 
"authorization", but some machines would be kerberos-only and have no 
dependence on any LDAP systems).  I don't want to have to re-key hundreds 
of systems.

Is this possible in any way?

Failing that, is it possible to dump my KDC and import it into an openLDAP 
system?  (If it is, I've found no documentation on this).

-Dan

-- 


--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
FB:  fb.com/DanielMahoneyIV
LI:   linkedin.com/in/gushi
Site:  http://www.gushi.org
---------------------------