cros-realms auth and LDAP

Thu Apr 8 08:33:29 EDT 2004

Hi, folks 

I'm trying to figure out how LDAP+Kerberos combination would work in a 
large setup: 
(In case you happen to be on ldap list as well, yes I have indeed asked 
the same question there. I hope to get some kerberos-related answers here, 
some ldap-related there, and I know of no combined LDAP/Kerberos list.)

* several companies are involved, and each of them does the administration 
of it's own LDAP subtree. 
* Each company administers its own Kerberos realm as well. 
* LDAP bind is possible with SASL/GSSAPI, or using simple bind with 
userPassword: principal at REALM (i.e. LDAP calls saslauthd, which contacts 
kerberos) 

I understand that we can use the ldap refferals to split the LDAP tree 
into administrative subtrees and that ldap search & co. will then 
automatically find the entries no matter where they are. I also understand 
that cros-realm kerberos trusts can be used to allow "roaming" as far as 
kerberos is concerned, but how do these two things work together? 

Examples: 

1) One real world example that I'm thinking about right now is a bunch of 
Solaris boxes that are hosted and administered by employees of the company 
A, while some of the company B employees need to access the machines 
because of the programs that run on them. Theoretically company B 
employees should never have root access to servers, but nevertheless they 
do need it from time to time.  User login is handled by pam_krb5, and 
group relationships come from LDAP server. 

Solaris boxes don't move, so they should be able to find the LDAP server, 
and (assuming that refferals work) this server should be able to give them 
all the relevant user data for employees of the both companies. The same 
is true for kerberos part, so theoretically this *should* work. Has any of 
you ever tried such a setup? 

2) Even more fun is a linux laptop that actually moves from company A to 
company B. As far as I can see, this laptop has to actually access the 
LDAP server from its own company, because the server URL is hardcoded in 
ldap.conf. Kerberos data may be hard-coded in krb5.conf, or taken from DNS 
(which in combination with DHCP and DDNS means that the laptop actually 
gets a new identity in company B!). This sounds like a complete mess to 
me, anyone knows how to handle this situation? 

3) Yet another example would be a web server that accepts logins from 
employees of two companies. Login is checked by doing a simple LDAP bind 
(which in background calls saslauthd, i.e. contacts the kerberos server). 

Now assuming that referals work, and that the web server asks for correct 
DN, saslauthd will eventually get requests to check passwords for 
principals from two different realms. 
        * Does saslauthd now need to actually access the kerberos servers 
from each realm, or can it ask server from realm A to check 
        logins for realm         B? 
        * If saslauthd needs to connect directly to kerberos servers of 
each realm, how should I configure it to do so? (several [realms] entries 
in                 /etc/krb5.conf?), and from which realm should the 
host/FQHN and ldap/FQHN keys be? 

Does someone here have experience with such setups? 

thx 
        Denis 
--
T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation

Dr. Denis Havlik,                                   eMail: 
denis.havlik at t-mobile.at
Rennweg 97-99, BT2E0304031        Phone: +43-1-79-585/6237 
A-1030 Vienna                                        Fax: 
+43-1-79-585/6584