cros-realms auth and LDAP
denis.havlik@t-mobile.at
denis.havlik at t-mobile.at
Thu Apr 8 08:33:29 EDT 2004
Hi, folks
I'm trying to figure out how LDAP+Kerberos combination would work in a
large setup:
(In case you happen to be on ldap list as well, yes I have indeed asked
the same question there. I hope to get some kerberos-related answers here,
some ldap-related there, and I know of no combined LDAP/Kerberos list.)
* several companies are involved, and each of them does the administration
of it's own LDAP subtree.
* Each company administers its own Kerberos realm as well.
* LDAP bind is possible with SASL/GSSAPI, or using simple bind with
userPassword: principal at REALM (i.e. LDAP calls saslauthd, which contacts
kerberos)
I understand that we can use the ldap refferals to split the LDAP tree
into administrative subtrees and that ldap search & co. will then
automatically find the entries no matter where they are. I also understand
that cros-realm kerberos trusts can be used to allow "roaming" as far as
kerberos is concerned, but how do these two things work together?
Examples:
1) One real world example that I'm thinking about right now is a bunch of
Solaris boxes that are hosted and administered by employees of the company
A, while some of the company B employees need to access the machines
because of the programs that run on them. Theoretically company B
employees should never have root access to servers, but nevertheless they
do need it from time to time. User login is handled by pam_krb5, and
group relationships come from LDAP server.
Solaris boxes don't move, so they should be able to find the LDAP server,
and (assuming that refferals work) this server should be able to give them
all the relevant user data for employees of the both companies. The same
is true for kerberos part, so theoretically this *should* work. Has any of
you ever tried such a setup?
2) Even more fun is a linux laptop that actually moves from company A to
company B. As far as I can see, this laptop has to actually access the
LDAP server from its own company, because the server URL is hardcoded in
ldap.conf. Kerberos data may be hard-coded in krb5.conf, or taken from DNS
(which in combination with DHCP and DDNS means that the laptop actually
gets a new identity in company B!). This sounds like a complete mess to
me, anyone knows how to handle this situation?
3) Yet another example would be a web server that accepts logins from
employees of two companies. Login is checked by doing a simple LDAP bind
(which in background calls saslauthd, i.e. contacts the kerberos server).
Now assuming that referals work, and that the web server asks for correct
DN, saslauthd will eventually get requests to check passwords for
principals from two different realms.
* Does saslauthd now need to actually access the kerberos servers
from each realm, or can it ask server from realm A to check
logins for realm B?
* If saslauthd needs to connect directly to kerberos servers of
each realm, how should I configure it to do so? (several [realms] entries
in /etc/krb5.conf?), and from which realm should the
host/FQHN and ldap/FQHN keys be?
Does someone here have experience with such setups?
thx
Denis
--
T-Mobile Austria GmbH,
Information Technologies / Services
Knowledge Management & Process Automation
Dr. Denis Havlik, eMail:
denis.havlik at t-mobile.at
Rennweg 97-99, BT2E0304031 Phone: +43-1-79-585/6237
A-1030 Vienna Fax:
+43-1-79-585/6584
More information about the Kerberos
mailing list