SASL/GSSAPI bind in LDAP plugin?

Andrew Bartlett abartlet at samba.org
Fri Feb 17 17:07:35 EST 2006 

On Thu, 2006-02-16 at 12:48 -0800, Henry B. Hotz wrote:

> As for who's running who:  well if the data is all in LDAP, then I  
> think that decision has already been made.  The kdc is just a  
> specialized front-end for the directory.
> 
> In that architecture I would probably prefer to put the DS(s) and the  
> KDC(s) on the same machine(s) precisely to simplify (and better  
> secure) their interaction.

While is is 'just a bug', I wanted to share an experience with Heimdal's
hdb-ldap, and a few other thoughts which seemed relevant to this
discussion.

The 'bug' is that when Heimdal's LDAP server goes away, things fail into
an 'authoritative user not found' state.  That is, I have a KDC assuring
the rest of the network that it knows the user doesn't exist.

I looked at fixing it, and found that in that codebase, communicating an
error that would make the client try again (hopefully to a KDC with a
working backend) was really hard.  I just tried to fix the issue that
was causing my (local) LDAP server to crash.

As such, it seems a very good idea to tightly bind KDCs to LDAP servers
in an operational environment, particularly if it simplifies
authentication.

In development, it is sometimes nice to separate the two, to allow
tracing of the traffic.  In which case, I would suggest that a fallback
to either TLS or (much easier) DIGEST-MD5.  

Also, if the KDC expects to write to the LDAP server (say to update a
lockout attribute), then for OpenLDAP backends, it will require a way to
authenticate off-host, as it rebinds to the master.

In Samba4, we currently support an external LDAP server behind our KDC,
and use NTLMSSP authentication, but I want to move to DIGEST-MD5 or
EXTERNAL with TLS soon.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Student Network Administrator, Hawker College  http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20060218/f7a7ab07/attachment.bin

More information about the krbdev mailing list