f



Authenticate user with Kerberos & LDAP-backend

Hi All

There is a Ldap server which store many user serving the authentication in my company. Now, I set up a Kerberos server to implement single-sign-on mechanism, after that I see some idea about Kerberos and LDAP backend. It is great, I deploy it successfully on test server. But now, there is a thing I confuse: After using the LDAP-backend, can I use Kerberos to authenticate some services (SSH for example), LDAP to authenticate others services (FTP, HTTP, ... for example), and all attributes of user (cn,userPassword,... for example) to other usage, but user can change password by kpasswd tool ?

Have anyone experienced this situation ? Please give me some idea and how to implement it.

Thank you,
Hung Ta 
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
hungtt (2)
5/1/2007 11:29:48 AM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

2 Replies
524 Views

Similar Articles

[PageSpeed] 59

Having been down this road, I can tell the you with complete confidence
that... it depends.

If the LDAP server is Active Directory, you can use LDAP or AD for
authentication, and they'll both work with the same password.

If you're using OpenLDAP and MIT Kerberos, it's a bit more of a problem,
since you essentially end up with two sets of passwords, which is not
pretty.

If you're using PAM for everything, it's easier to get everything to use
that instead. That way, you get SSO where applications support it, and
where the don't, they still use the Kerberos back end via PAM. I did this
for email, where none of the installed software supported Kerberos SSO.
Once Kerberos was working properly (my fault, I explicitly ignored some of
the strongly worded reccomendations in the admin mannual) it was pretty
darn near bullet proof.

The problem child is various applications that only support an LDAP
backend, and can't be changed to use Kerberos directly.

OpenLDAP used to have this thing where a given entry could contain a
kerberos principle, and would do the look up for you. This has been
removed for some reason, and now you have to use a saslauthd daemon.

I strongly reccomend you don't use the CyrusSASL saslauthd daemon if you
can avoid it. I'll say no more hear, my views on CyrusSASL are mostly
unprintable. I never did manage to get it working with Kerberos though.

I've had good luck with using the Dovecot sasl daemon with postfix, so
it's very likely possible to do the same with LDAP. This is probably an
abomination and 'the wrong thing to do', but it works without large
amounts of head beating. Under Debian/Ubuntu, it's possible to only
install the dovecot-common package, without the imapd/pop3d parts,
although I haven't actually tried this.

The other possible option is to patch all your password changing utilities
to change multiple passwords. I've found that it works, until you need to
change something, and then breaks all over again.

Hope this is helpful,
Edward Murrell


> Hi All
>
> There is a Ldap server which store many user serving the authentication in
> my company. Now, I set up a Kerberos server to implement single-sign-on
> mechanism, after that I see some idea about Kerberos and LDAP backend. It
> is great, I deploy it successfully on test server. But now, there is a
> thing I confuse: After using the LDAP-backend, can I use Kerberos to
> authenticate some services (SSH for example), LDAP to authenticate others
> services (FTP, HTTP, ... for example), and all attributes of user
> (cn,userPassword,... for example) to other usage, but user can change
> password by kpasswd tool ?
>
> Have anyone experienced this situation ? Please give me some idea and how
> to implement it.
>
> Thank you,
> Hung Ta
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
edward9122 (38)
5/1/2007 9:27:34 PM
edward@murrell.co.nz writes:

Hello,

> OpenLDAP used to have this thing where a given entry could contain a
> kerberos principle, and would do the look up for you. This has been
> removed for some reason, and now you have to use a saslauthd daemon.
>
> I strongly reccomend you don't use the CyrusSASL saslauthd daemon if you
> can avoid it. I'll say no more hear, my views on CyrusSASL are mostly
> unprintable. I never did manage to get it working with Kerberos though.

at our site, we use Kerberos as authentication service, LDAP as
directory and as authentication source for services which can only
authenticate against LDAP (Zope at the moment).

The "userPassword" attribute of the users is set to
"{SASL}<user>@<REALM>" so OpenLDAP uses the saslauthd which is
configured with Kerberos as backend.

It works (although it's a bit convoluted); for password changing we have
to use only the pam_krb5 module. Since our setup was installed when
Dovecot hasn't been available, we use the Cyrus SASL library.


Sebastian
0
hanigk (201)
5/2/2007 8:41:32 AM
Reply: