KDC with openldap backend, ldap replication, can it chase referrals?

Pallissard, Matthew matt at pallissard.net
Thu Apr 16 10:11:39 EDT 2020


On 2020-04-15T08:22:59 -0700, Dan Mahoney (Gushi) wrote:
> On Wed, 15 Apr 2020, Andreas Hasenack wrote:
>
> > Hello,
> >
> > On Wed, Apr 15, 2020 at 1:54 AM Greg Hudson <ghudson at mit.edu> wrote:
> >>
> >> On 4/14/20 3:34 PM, Andreas Hasenack wrote:> Can mit kerberos (1.17 for
> >> the purpose of this conversation) using the
> >>> openldap backend (kldap) chase ldap referrals when it tries to write
> >>> to an openldap replica, which is read-only?
> >>>
> >>> In other words, can I list both the openldap primary and its read-only
> >>> replica in krb5.conf's ldap_servers parameter?
> >>
> >> I don't believe we support this.  This came up a number of years ago:
> >>
> >> https://krbdev.mit.edu/rt/Ticket/Display.html?id=7754
>
> I may have asked this in the past, but I'll ask it again since LDAP came
> up.  We have an existing Kerberos domain, but we don't use LDAP at all (we
> just use puppet to handle things like user creation on servers.
>
> Specifically, we don't do active directory for any client workstations and
> don't run windows in general -- our users own their own machines, so
> there's no tie-in.  It's hundreds of servers, probably ~30 users.
>
> I see a way to do kerberos with an LDAP backend, but not the opposite.
> I'd like to "Add" openLDAP to my existing KDC, or deploy openLDAP but have
> it use the KDB for authentication.  (Where openLDAP would continue to do
> "authorization", but some machines would be kerberos-only and have no
> dependence on any LDAP systems).  I don't want to have to re-key hundreds
> of systems.

Yep, this is now more of an openldap than an MIT question so we're getting off-topic.  That aside krb authn w/ ldap authz  is a common pattern.  SASL auth is probably you're looking for.

https://www.openldap.org/doc/admin24/sasl.html

You can either hand openldap a keytab and have it speak gssapi and/or set the user password field to the sasl backend and have it do the ldap->krb translation.

If you have more questions there is an openldap mailing list.   I'd recommend doing your homework, then taking this conversation over there.  There is also a pretty lively IRC channel.


Matt Pallissard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20200416/36873299/attachment.bin


More information about the Kerberos mailing list