Kerberos + LDAP + Cyrus-SASL woes

Digant Kasundra digant at uta.edu
Thu May 27 12:23:41 EDT 2004 

A lot of this depends on what LDAP you are planning to use.  Essentially,
there are two ways to use Kerberos with LDAP: one is the SASL method, and
the second is pass-through authentication.

Using SASL, a Kerberos ticket is presented to the LDAP server (if you are
using PAM, you can use pam_krb5 to move authentication into Kerberos instead
of LDAP -- this way, when you login, you authenticate against Kerberos and
have a ticket as a result).  When that ticket is presented to LDAP, the LDAP
server knows how to map that kerberos principal to a dn in the directory.
Ergo, you bind as that dn and get the permissions as specified for that dn
by the access control lists.

The "pass-through" method means that you bind to LDAP using a username and
password.  When you attempt to do so, instead of LDAP authentication that
username/password agaisnt its local store, it contacts the Kerberos KDC and
attempts to verify those credentials (by requesting a ticket).

I think the first method is preferred but since not all applications can
speak Kerberos, the LDAP pass-through is definitely important.  I know that
Sun Java Directory server and OpenLDAP support both methods.

-- Digant C Kasundra

> "James Hunt" <james at oicgroup.net> wrote in message 
> news:1085608258.23946.13.camel at james.office.oic...
> > We are looking to integrate Kerberos with LDAP and PAM 
> (facilitating 
> > communication between Kerberos and LDAP using Cyrus-SASL) 
> on Linux.  
> > On our own, and using documentation found on the web, we 
> have managed 
> > to implement it partially.
> >
> > What we have so far:
> > A working LDAP server that we can bind to and query.
> > A working kerberos KDC that is issuing tickets.
> > A PAM setup that has moved the UNIX authentication 
> (/etc/passwd) into 
> > LDAP.
> >
> > The final product would provide central user authentication (the 
> > Kerberos KDC) and user account management (LDAP), thus 
> providing many 
> > of the services of a Windows Active Directory server.  What we are 
> > stuck on is not so much a configuration or software issue 
> as it is a 
> > conceptual snag.  Where should Kerberos tickets (and 
> possibly keytabs) 
> > be stored to interoperate with LDAP?  How is LDAP supposed 
> to contact 
> > the KDC and receive a ticket?  Is the user supposed to run kinit -f 
> > upon login?
> >
> > Our company, the OIC Group, is looking for someone who really knows 
> > Kerberos and LDAP inside and out, and is willing to lend a hand, 
> > either as a consultant, or a contract system administrator.  OIC is 
> > willing to pay for services rendered.  Our only requirement is that 
> > the working implementation / configuration be well-documented for 
> > future reference.
> >
> > Any help / direction / guidance is greatly appreciated.
> >
> > James Hunt,
> > Senior Programmer
> > OIC Group, Inc.
> > http://www.oicgroup.net/
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos at mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list