Integrating Kerberos with LDAP
Aneela Saleem
aneela at platalytics.com
Mon Jun 20 13:45:33 EDT 2016
What if i don't have configured pam, sssd, nss_ldap. Can i simulate LDAP
users authentication? Means everytime a user is created in LDAP we manually
add its principal in Kerberos. Is it fine to do this?
On Sun, Jun 19, 2016 at 12:33 AM, Aneela Saleem <aneela at platalytics.com>
wrote:
> Thanks for the response.
>
> I have actually all my users in LDAP and I'm trying to achieve Kerberos to
> authenticate to LDAP users. I learnt pam_krb5, nss_ldap etc are used for
> authentication and all the related mappings. But i don't know exactly
> whether i need all these things or not. Since i'm using Ubuntu and i
> actually want to use Kerberos for Hadoop, to authenticate users to access
> Hadoop File System. Please guide me how can i achieve this.
>
> Thanks
>
> On Sat, Jun 18, 2016 at 10:50 PM, Sean Elble <elbles at sessys.com> wrote:
>
>>
>> > On Jun 18, 2016, at 6:59 AM, Aneela Saleem <aneela at platalytics.com>
>> wrote:
>> >
>> > Hi,
>> >
>> > I'm new to Kerberos. I have configured it successfully. I can add
>> > principals and authenticate that principals well. Now i was to import
>> > users from LDAP. And there are some confusions regarding it.
>> >
>> > How the authentication would be managed in the case we want user
>> management
>> > through LDAP and authentication through Kerberos? How would we map
>> > principals to LDAP users and vice versa? I have been looking into this
>> for
>> > many days but i'm still not satisfied. Looking for suitable answers.
>>
>> It depends on what exactly you're doing. If we're talking about
>> Linux/UNIX boxes using Kerberos and LDAP, you would have configured
>> pam_krb5 for the authentication portion, and used nss_ldap for the
>> user/group lookups (via /etc/nssswitch.conf or similar). With sssd, you
>> can configure it to handle both Kerberos and LDAP pieces.
>>
>> Are you user names in Kerberos not the same as the user names as exist in
>> LDAP? If you're new to Kerberos, I'm guessing you only have the one realm,
>> which makes it quite simple--a user name (e.g., jsmith) would simply map to
>> your principal name (e.g., jsmith at EXAMPLE.COM).
>>
>> Mixing LDAP and Kerberos really isn't that difficult. The only bit of
>> difficulty I've experienced with the two is when you want to use Kerberos
>> to authenticate to LDAP itself, and that's where you'd potentially have to
>> do some mapping for ACLs (and play with SASL, etc.). It's been a few years
>> since I've done that, but when moving from a CentOS 5 box to a CentOS 7 box
>> around a year ago, it hadn't seemed to change much.
>>
>> >
>> > Thanks.
>> > ________________________________________________
>> > Kerberos mailing list Kerberos at mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>>
>>
>
More information about the Kerberos
mailing list