f



is that common to use kerberos authentication for SUN iplanet LDAP server?

Hi guys,

Does anyone have experience on this to share? 
I've set up a SUN LDAP server and it's running fine by 
using simple authentication so far. Of course I want to
make it more secure (to protect the password while binding 
to LDAP server) so I'm thinking either MD5-Digest or Kerberos.
However looks like SUN LDAP itself doesn't have kerberos 
abilities and I have to install SEAM (Sun Enterprise Authentication
Mechanism) separately to enable Kerberos..... 

   So I was thinking that if I can easily configure SUN LDAP to 
use MD5-digest then that should be the easiest however it seems 
that I have to store the password as plain-text in LDAP
server to enable MD5-digest and I don't want to do that (Let 
me know if there are other easier ways to enable MD5-digest). 

   So my question is that is it pretty easy to enable Kerberos 
for SUN LDAP after installing SEAM? Or can SUN LDAP use other 
KDC as well? 	 

Thanks a lot in advance !

P.S, I know LDAPS (LDAP over SSL) can easily achieve my goal 
however I kinda think it's an overkill since I don't really 
need to protect all the LDAP transactions except for the 
password part...

-Kent
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
kwu (8)
8/31/2005 9:29:23 PM
comp.protocols.kerberos 5541 articles. 1 followers. jwinius (31) is leader. Post Follow

13 Replies
1176 Views

Similar Articles

[PageSpeed] 42

Kent Wu wrote:
> 
>    So my question is that is it pretty easy to enable Kerberos 
> for SUN LDAP after installing SEAM? Or can SUN LDAP use other 
> KDC as well? 	 
> 

   We use Sun's LDAP server with PADL's GSSAPI plugin - we built our 
copy against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary 
versions they sold previously also use MIT Kerberos.

   We now have several processes that regularly use only GSSAPI/SASL 
over SSL to authenticate and communicate with LDAP.  Works very well.

HTH,
Craig

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
huck1208 (10)
9/1/2005 10:58:16 AM
We, too, are very satisfied customers who use PADL's GSSAPI 
plugin. We've had no problems with the implementation and 
integration, and support from Luke is outstanding.

We built our copy against MIT Kerberos 1.2.x and use MIT KDCs. 
All of our administrative tools interact with the directory using 
GSSAPI/SASL.

  -- Tom

Thomas A. La Porte, DreamWorks Animation
<mailto:tlaporte@anim.dreamworks.com>

On Thu, 1 Sep 2005, Craig Huckabee wrote:

> Kent Wu wrote:
>>
>>    So my question is that is it pretty easy to enable Kerberos for SUN LDAP 
>> after installing SEAM? Or can SUN LDAP use other KDC as well? 
>
>  We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy 
> against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary versions they 
> sold previously also use MIT Kerberos.
>
>  We now have several processes that regularly use only GSSAPI/SASL over SSL 
> to authenticate and communicate with LDAP.  Works very well.
>
> HTH,
> Craig
>
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
tlaporte (14)
9/1/2005 2:57:19 PM
Thomas A. La Porte wrote:

>  We, too, are very satisfied customers who use PADL's GSSAPI plugin.
>  We've had no problems with the implementation and integration, and
>  support from Luke is outstanding.
>
>  We built our copy against MIT Kerberos 1.2.x and use MIT KDCs. All of
>  our administrative tools interact with the directory using
>  GSSAPI/SASL.


If all you need is GSSAPI, then it should also compile against the 
native Solaris GSSAPI
libraries as well.

In  Solaris 10, all of Kerberos is already bundled, along with GSSAPI, 
SASL, and SPNEGO
support which obsoletes the need to maintain alot of 3rd party packages.

-Wyllys


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
9/1/2005 6:07:14 PM
On Thu, 1 Sep 2005, Wyllys Ingersoll wrote:

> If all you need is GSSAPI, then it should also compile against the native 
> Solaris GSSAPI
> libraries as well.
>
> In  Solaris 10, all of Kerberos is already bundled, along with GSSAPI, SASL, 
> and SPNEGO
> support which obsoletes the need to maintain alot of 3rd party packages.
>
> -Wyllys


Sorry, I failed to mention that we are running the SunOne/iPlanet 
server on a RedHat Linux server, which I don't believe provides 
that capability.

  -- Tom

Thomas A. La Porte, DreamWorks SKG
<mailto:tlaporte@anim.dreamworks.com>


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
tlaporte (14)
9/1/2005 6:11:52 PM
Craig,

you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption 
too. What was the reason not to use SASL/GSSAPI with encryption. And example 
is AD, which can be accessed via SASL/GSSAPI with encryption.

Thanks
Markus

"Craig Huckabee" <huck@spawar.navy.mil> wrote in message 
news:4316DEC8.5060809@spawar.navy.mil...
> Kent Wu wrote:
>>
>>    So my question is that is it pretty easy to enable Kerberos for SUN 
>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>
>   We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy 
> against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary versions 
> they sold previously also use MIT Kerberos.
>
>   We now have several processes that regularly use only GSSAPI/SASL over 
> SSL to authenticate and communicate with LDAP.  Works very well.
>
> HTH,
> Craig
>
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
huaraz1 (352)
9/1/2005 7:24:16 PM
Markus,

   Two reasons:

   1)  We are working towards turning off non-SSL access to our Sun LDAP 
servers.

   2)  We ran into problems when talking to AD using Perl-LDAP/SASL 
without SSL.  IIRC, we couldn't do a password change over a non-SSL port 
- AD spit back an error.  Doing everything over SSL cleared up the problems.

But, yes, in most cases we could just use one or the other.

--Craig


Markus Moeller wrote:

> Craig,
> 
> you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption 
> too. What was the reason not to use SASL/GSSAPI with encryption. And example 
> is AD, which can be accessed via SASL/GSSAPI with encryption.
> 
> Thanks
> Markus
> 
> "Craig Huckabee" <huck@spawar.navy.mil> wrote in message 
> news:4316DEC8.5060809@spawar.navy.mil...
> 
>>Kent Wu wrote:
>>
>>>   So my question is that is it pretty easy to enable Kerberos for SUN 
>>>LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>>
>>  We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy 
>>against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary versions 
>>they sold previously also use MIT Kerberos.
>>
>>  We now have several processes that regularly use only GSSAPI/SASL over 
>>SSL to authenticate and communicate with LDAP.  Works very well.
>>
>>HTH,
>>Craig
>>
>>________________________________________________
>>Kerberos mailing list           Kerberos@mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
huck1208 (10)
9/1/2005 8:08:09 PM
Wyllys Ingersoll wrote:

> 
> If all you need is GSSAPI, then it should also compile against the 
> native Solaris GSSAPI libraries as well.

I did that under Solaris 9, but we ran into problems.  I would have to 
look at my notes for the exact problem, and this was over a year ago.

Have not tried a build under 10 yet...

--Craig

________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
huck1208 (10)
9/1/2005 8:12:28 PM
Markus,

   I know SASL/GSSAPI can do encryption according to the document
however I tried a while back to enable the encryption against AD while
doing kerberos authentication in my C program but failed. Did you really
enable the encryption successfully in the program? If so then I must
have missing something then....

Thanks.

-Kent

On Thu, 2005-09-01 at 20:24 +0100, Markus Moeller wrote:
> Craig,
> 
> you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption 
> too. What was the reason not to use SASL/GSSAPI with encryption. And example 
> is AD, which can be accessed via SASL/GSSAPI with encryption.
> 
> Thanks
> Markus
> 
> "Craig Huckabee" <huck@spawar.navy.mil> wrote in message 
> news:4316DEC8.5060809@spawar.navy.mil...
> > Kent Wu wrote:
> >>
> >>    So my question is that is it pretty easy to enable Kerberos for SUN 
> >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
> >
> >   We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy 
> > against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary versions 
> > they sold previously also use MIT Kerberos.
> >
> >   We now have several processes that regularly use only GSSAPI/SASL over 
> > SSL to authenticate and communicate with LDAP.  Works very well.
> >
> > HTH,
> > Craig
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-- 
Kent Wu <kwu@xsigo.com>
XSIGO INC.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
kwu (8)
9/1/2005 8:41:34 PM
Markus,

   I know SASL/GSSAPI can do encryption according to the document
however I tried a while back to enable the encryption against AD while
doing kerberos authentication in my C program but failed. Did you really
enable the encryption successfully in the program? If so then I must
have missing something then....

Thanks.

-Kent

On Thu, 2005-09-01 at 20:24 +0100, Markus Moeller wrote:
> Craig,
> 
> you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption 
> too. What was the reason not to use SASL/GSSAPI with encryption. And example 
> is AD, which can be accessed via SASL/GSSAPI with encryption.
> 
> Thanks
> Markus
> 
> "Craig Huckabee" <huck@spawar.navy.mil> wrote in message 
> news:4316DEC8.5060809@spawar.navy.mil...
> > Kent Wu wrote:
> >>
> >>    So my question is that is it pretty easy to enable Kerberos for SUN 
> >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
> >
> >   We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy 
> > against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary versions 
> > they sold previously also use MIT Kerberos.
> >
> >   We now have several processes that regularly use only GSSAPI/SASL over 
> > SSL to authenticate and communicate with LDAP.  Works very well.
> >
> > HTH,
> > Craig
> >
> > ________________________________________________
> > Kerberos mailing list           Kerberos@mit.edu
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> > 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
-- 
Kent Wu <kwu@xsigo.com>
XSIGO INC.
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
kwu (8)
9/1/2005 8:44:05 PM
Kent,

I used for example ldapsearch on a standard SuSE SLES 9 system with heimdal
Kerberos, cyrus-sasl and openldap.
On another system I compiled myself MIT Kerberos, cyrus-sasl and openldap.
The capture of the ldapsearch was not readable text. Keep in mind you need 
the MS pac authorisation
information in your Kerberos ticket, which means you have to authenticate to
AD.

Regards
Markus

"Kent Wu" <kwu@xsigo.com> wrote in message 
news:1125607445.15193.0.camel@jurassic.mvcorp.xsigo.com...
> Markus,
>
>   I know SASL/GSSAPI can do encryption according to the document
> however I tried a while back to enable the encryption against AD while
> doing kerberos authentication in my C program but failed. Did you really
> enable the encryption successfully in the program? If so then I must
> have missing something then....
>
> Thanks.
>
> -Kent
>
> On Thu, 2005-09-01 at 20:24 +0100, Markus Moeller wrote:
>> Craig,
>>
>> you say you use SASL + SSL. As far as I know SASL/GSSAPI can do 
>> encryption
>> too. What was the reason not to use SASL/GSSAPI with encryption. And 
>> example
>> is AD, which can be accessed via SASL/GSSAPI with encryption.
>>
>> Thanks
>> Markus
>>
>> "Craig Huckabee" <huck@spawar.navy.mil> wrote in message
>> news:4316DEC8.5060809@spawar.navy.mil...
>> > Kent Wu wrote:
>> >>
>> >>    So my question is that is it pretty easy to enable Kerberos for SUN
>> >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>> >
>> >   We use Sun's LDAP server with PADL's GSSAPI plugin - we built our 
>> > copy
>> > against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary 
>> > versions
>> > they sold previously also use MIT Kerberos.
>> >
>> >   We now have several processes that regularly use only GSSAPI/SASL 
>> > over
>> > SSL to authenticate and communicate with LDAP.  Works very well.
>> >
>> > HTH,
>> > Craig
>> >
>> > ________________________________________________
>> > Kerberos mailing list           Kerberos@mit.edu
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
> -- 
> Kent Wu <kwu@xsigo.com>
> XSIGO INC.
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
huaraz1 (352)
9/1/2005 11:43:36 PM
To point 2) I would do the password change through Kerberos kpasswd or if 
you need to do it as an admin I think there is also a function in the MIT 
library to do so.

Regards
Markus

"Craig Huckabee" <huck@spawar.navy.mil> wrote in message 
news:43175FA9.9090008@spawar.navy.mil...
> Markus,
>
>   Two reasons:
>
>   1)  We are working towards turning off non-SSL access to our Sun LDAP 
> servers.
>
>   2)  We ran into problems when talking to AD using Perl-LDAP/SASL without 
> SSL.  IIRC, we couldn't do a password change over a non-SSL port - AD spit 
> back an error.  Doing everything over SSL cleared up the problems.
>
> But, yes, in most cases we could just use one or the other.
>
> --Craig
>
>
> Markus Moeller wrote:
>
>> Craig,
>>
>> you say you use SASL + SSL. As far as I know SASL/GSSAPI can do 
>> encryption too. What was the reason not to use SASL/GSSAPI with 
>> encryption. And example is AD, which can be accessed via SASL/GSSAPI with 
>> encryption.
>>
>> Thanks
>> Markus
>>
>> "Craig Huckabee" <huck@spawar.navy.mil> wrote in message 
>> news:4316DEC8.5060809@spawar.navy.mil...
>>
>>>Kent Wu wrote:
>>>
>>>>   So my question is that is it pretty easy to enable Kerberos for SUN 
>>>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>>>
>>>  We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy 
>>> against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary 
>>> versions they sold previously also use MIT Kerberos.
>>>
>>>  We now have several processes that regularly use only GSSAPI/SASL over 
>>> SSL to authenticate and communicate with LDAP.  Works very well.
>>>
>>>HTH,
>>>Craig
>>>
>>>________________________________________________
>>>Kerberos mailing list           Kerberos@mit.edu
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
huaraz1 (352)
9/1/2005 11:46:38 PM

I'm sorry, I didn't make what we're doing clear.  Our MIT KDC is our 
master for our realm, our AD domain trusts that realm.  We 
add/modify/delete users on our MIT KDC & AD based on our LDAP directory.

All of our user's passwords are kept solely by the KDC.  The GSSAPI LDAP 
module also includes PAM functionality so our LDAP servers use pam_krb5 
to authenticate - so no crypted password hashes in LDAP.  When we push 
down the users to AD, we set the password field there to a long, random, 
  good, password - the trust allows the users to authenticate solely 
from the MIT KDC.

So, in the AD case, we just set the appropriate LDAP attribute for each 
user to the crypted passwd string.  This user replication process is one 
of the many tools that uses Perl-LDAP & GSSAPI/SASL.

Our tools we give our users to change their password (web based, Unix 
kpasswd, and Windows Ctrl-Alt-Del still works) only need to change it on 
the MIT KDC.  Those tools use the standard library functions or the 
Windows equivalent.

Now if only Microsoft would fix their PKINIT implementation so it would 
pass requests to trusted domains like the password functions do I'd be 
happy.

Thanks,
Craig




Markus Moeller wrote:
> To point 2) I would do the password change through Kerberos kpasswd or if 
> you need to do it as an admin I think there is also a function in the MIT 
> library to do so.
> 
> Regards
> Markus
> 
> "Craig Huckabee" <huck@spawar.navy.mil> wrote in message 
> news:43175FA9.9090008@spawar.navy.mil...
> 
>>Markus,
>>
>>  Two reasons:
>>
>>  1)  We are working towards turning off non-SSL access to our Sun LDAP 
>>servers.
>>
>>  2)  We ran into problems when talking to AD using Perl-LDAP/SASL without 
>>SSL.  IIRC, we couldn't do a password change over a non-SSL port - AD spit 
>>back an error.  Doing everything over SSL cleared up the problems.
>>
>>But, yes, in most cases we could just use one or the other.
>>
>>--Craig
>>
>>
>>Markus Moeller wrote:
>>
>>
>>>Craig,
>>>
>>>you say you use SASL + SSL. As far as I know SASL/GSSAPI can do 
>>>encryption too. What was the reason not to use SASL/GSSAPI with 
>>>encryption. And example is AD, which can be accessed via SASL/GSSAPI with 
>>>encryption.
>>>
>>>Thanks
>>>Markus
>>>
>>>"Craig Huckabee" <huck@spawar.navy.mil> wrote in message 
>>>news:4316DEC8.5060809@spawar.navy.mil...
>>>
>>>
>>>>Kent Wu wrote:
>>>>
>>>>
>>>>>  So my question is that is it pretty easy to enable Kerberos for SUN 
>>>>>LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>>>>
>>>> We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy 
>>>>against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary 
>>>>versions they sold previously also use MIT Kerberos.
>>>>
>>>> We now have several processes that regularly use only GSSAPI/SASL over 
>>>>SSL to authenticate and communicate with LDAP.  Works very well.
>>>>
>>>>HTH,
>>>>Craig
>>>>
>>>>________________________________________________
>>>>Kerberos mailing list           Kerberos@mit.edu
>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>
>>>
>>>
>>>
>>>________________________________________________
>>>Kerberos mailing list           Kerberos@mit.edu
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>>________________________________________________
>>Kerberos mailing list           Kerberos@mit.edu
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
> 
> 
> 
> 
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
huck1208 (10)
9/2/2005 12:00:15 PM
Thank you
Markus

"Craig Huckabee" <huck@spawar.navy.mil> wrote in message 
news:43183ECF.6050102@spawar.navy.mil...
>
>
> I'm sorry, I didn't make what we're doing clear.  Our MIT KDC is our 
> master for our realm, our AD domain trusts that realm.  We 
> add/modify/delete users on our MIT KDC & AD based on our LDAP directory.
>
> All of our user's passwords are kept solely by the KDC.  The GSSAPI LDAP 
> module also includes PAM functionality so our LDAP servers use pam_krb5 to 
> authenticate - so no crypted password hashes in LDAP.  When we push down 
> the users to AD, we set the password field there to a long, random, good, 
> password - the trust allows the users to authenticate solely from the MIT 
> KDC.
>
> So, in the AD case, we just set the appropriate LDAP attribute for each 
> user to the crypted passwd string.  This user replication process is one 
> of the many tools that uses Perl-LDAP & GSSAPI/SASL.
>
> Our tools we give our users to change their password (web based, Unix 
> kpasswd, and Windows Ctrl-Alt-Del still works) only need to change it on 
> the MIT KDC.  Those tools use the standard library functions or the 
> Windows equivalent.
>
> Now if only Microsoft would fix their PKINIT implementation so it would 
> pass requests to trusted domains like the password functions do I'd be 
> happy.
>
> Thanks,
> Craig
>
>
>
>
> Markus Moeller wrote:
>> To point 2) I would do the password change through Kerberos kpasswd or if 
>> you need to do it as an admin I think there is also a function in the MIT 
>> library to do so.
>>
>> Regards
>> Markus
>>
>> "Craig Huckabee" <huck@spawar.navy.mil> wrote in message 
>> news:43175FA9.9090008@spawar.navy.mil...
>>
>>>Markus,
>>>
>>>  Two reasons:
>>>
>>>  1)  We are working towards turning off non-SSL access to our Sun LDAP 
>>> servers.
>>>
>>>  2)  We ran into problems when talking to AD using Perl-LDAP/SASL 
>>> without SSL.  IIRC, we couldn't do a password change over a non-SSL 
>>> port - AD spit back an error.  Doing everything over SSL cleared up the 
>>> problems.
>>>
>>>But, yes, in most cases we could just use one or the other.
>>>
>>>--Craig
>>>
>>>
>>>Markus Moeller wrote:
>>>
>>>
>>>>Craig,
>>>>
>>>>you say you use SASL + SSL. As far as I know SASL/GSSAPI can do 
>>>>encryption too. What was the reason not to use SASL/GSSAPI with 
>>>>encryption. And example is AD, which can be accessed via SASL/GSSAPI 
>>>>with encryption.
>>>>
>>>>Thanks
>>>>Markus
>>>>
>>>>"Craig Huckabee" <huck@spawar.navy.mil> wrote in message 
>>>>news:4316DEC8.5060809@spawar.navy.mil...
>>>>
>>>>
>>>>>Kent Wu wrote:
>>>>>
>>>>>
>>>>>>  So my question is that is it pretty easy to enable Kerberos for SUN 
>>>>>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>>>>>
>>>>> We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy 
>>>>> against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary 
>>>>> versions they sold previously also use MIT Kerberos.
>>>>>
>>>>> We now have several processes that regularly use only GSSAPI/SASL over 
>>>>> SSL to authenticate and communicate with LDAP.  Works very well.
>>>>>
>>>>>HTH,
>>>>>Craig
>>>>>
>>>>>________________________________________________
>>>>>Kerberos mailing list           Kerberos@mit.edu
>>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>________________________________________________
>>>>Kerberos mailing list           Kerberos@mit.edu
>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>>________________________________________________
>>>Kerberos mailing list           Kerberos@mit.edu
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

0
huaraz1 (352)
9/2/2005 8:17:36 PM
Reply:

Similar Artilces:

RE: is that common to use kerberos authentication for SUN iplanet LDAP server?
You can use Sun's Directory server with non Sun kdc, you just have to have SEAM (Sun's Kerberos) setup on the director server (ie - it needs the client libs). If you have an install on Solaris 9 or 10 I don't even then you need to install anything - the Kerberos libs are already there. (You will have to run the directory server on a Solaris box). See http://docs.sun.com/source/817-7613/ssl.html -dan -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Kent Wu Sent: Wednesday, August 31, 2005 3:29 PM To: kerberos@mit.edu Subject: is that common to use kerberos authentication for SUN iplanet LDAP server? Hi guys, Does anyone have experience on this to share? I've set up a SUN LDAP server and it's running fine by using simple authentication so far. Of course I want to make it more secure (to protect the password while binding to LDAP server) so I'm thinking either MD5-Digest or Kerberos. However looks like SUN LDAP itself doesn't have kerberos abilities and I have to install SEAM (Sun Enterprise Authentication Mechanism) separately to enable Kerberos..... So I was thinking that if I can easily configure SUN LDAP to use MD5-digest then that should be the easiest however it seems that I have to store the password as plain-text in LDAP server to enable MD5-digest and I don't want to do that (Let me know if there are other easier ways to enable MD5-digest). So my question is th...

RE: is that common to use kerberos authentication for SUN iplanet LDAP server?
Whether a directory can do SASL/GSSAPI data privacy and/or integrity is directory server specific. Some directories (AD) support privacy and/or integrity protection. Others (Sun) don't, so you must use SSL. One other thing to be aware of is that clients and downgrade the privacy and integrity protection. If clients can do downgrade the data protection, it makes me wonder if an attacker can downgrade the session. I haven't looked into it enough. -dan -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Markus Moeller Sent: Thursday, September 01, 2005 1:24 PM To: kerberos@mit.edu Subject: Re: is that common to use kerberos authentication for SUN iplanet LDAP server? Craig, you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption too. What was the reason not to use SASL/GSSAPI with encryption. And example is AD, which can be accessed via SASL/GSSAPI with encryption. Thanks Markus "Craig Huckabee" <huck@spawar.navy.mil> wrote in message news:4316DEC8.5060809@spawar.navy.mil... > Kent Wu wrote: >> >> So my question is that is it pretty easy to enable Kerberos for SUN >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well? > > We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy > against MIT Kerberos 1.3.x and use MIT KDCs. I think the binary versions > they sold previously also use MIT Kerber...

RE: is that common to use kerberos authentication for SUN iplanet LDAP server? #2
Markus, I know SASL/GSSAPI can do encryption according to the document however I tried a while back to enable the encryption against AD while doing kerberos authentication in my C program but failed. Did you really enable the encryption successfully in the program? If so then I must have missing something then.... Thanks. -Kent -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf Of Markus Moeller Sent: Thursday, September 01, 2005 12:24 PM To: kerberos@mit.edu Subject: Re: is that common to use kerberos authentication for SUN iplanet LDAP server? Craig, you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption too. What was the reason not to use SASL/GSSAPI with encryption. And example is AD, which can be accessed via SASL/GSSAPI with encryption. Thanks Markus "Craig Huckabee" <huck@spawar.navy.mil> wrote in message news:4316DEC8.5060809@spawar.navy.mil... > Kent Wu wrote: >> >> So my question is that is it pretty easy to enable Kerberos for SUN >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well? > > We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy > against MIT Kerberos 1.3.x and use MIT KDCs. I think the binary versions > they sold previously also use MIT Kerberos. > > We now have several processes that regularly use only GSSAPI/SASL over > SSL to authenticate and communicate wi...

Trouble authenticating with Kerberos & LDAP
I've been very frustrated trying to get this to work. We are trying to use a windows 2003 server as our Kerberos server, along with our openldap on solaris as our directory server. The machines we want to authenticate on are all Solaris 9. The ldap tree is fully populated, and working properly. With our current nsswitch.conf, logins work using the ldap directory (with posixAccount & shadowAccount records), as does a getent passwd <ldapusername>. Also, we have our Windows 2003 server's directory setup with named users, and with our current pam.conf, we can authenticate aga...

Microsoft SSPI error
Hello, I have configuration of active directory 2003 r2 sp3 working with linux mod_auth_kerb. I use SPNEGO for subversion. When using Linux all work great! When using Windows XP(and Windows 7) Firefox/IE/cifs client work great. Problem is subversion which uses neon, it get the following: --- Running post_send hooks ah_post_send (#1), code is 201 (want 401), WWW-Authenticate is Negotiate oYGfMIG coAMKAQChCwYJKoZIhvcSAQICooGHBIGEYIGBBgkqhkiG9xIBAgICAG9yMHCgAwIBBaEDAgEPomQwYqA DAgEXolsEWTLvPLmZvxBgaMEmPDDTIeG9bdJ5rmfTEtsj6Cv9eF9s9Z8sBWhVhPXYzIVsm/sw0hqR+1u DM9frpOeV2Y0YGtDk2flN5iOM/HdEujj0GXAYEWHvPp/3kSc2 auth: SSPI challenge. InitializeSecurityContext [fail] [80090304]. sspi: initializeSecurityContext [failed] [80090304]. --- At windows event log I see the following: --- Event Type: Warning Event Source: LSASRV Event Category: SPNEGO (Negotiator) Event ID: 40962 Date: 10/3/2011 Time: 3:55:38 PM User: N/A Computer: VALON Description: The Security System was unable to authenticate to the server HTTP/correlux-gentoo.correlsense.com because the server has completed the authentication, but the client authentication protocol Kerberos has not. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. --- Had anyone seen this before? I tried many configurations, but without success: --- Gentoo --- dev-libs/openssl-1.0.0e -> also downgraded to openssl-0.9.8f www-servers/apache-2.2.21 www-apache/mod_auth_kerb-5.4 -> also downgraded to m...

Unable to run SASL using GSSAPI/kerberos 5 as authentication against Sun One Directory Server
I am tring to run the same example that Microsoft has given for authentication. I am tring this sample against SEAM and not AD. FYI: I am able to run gssapi samples successfully. Also /var/Sun/mps/shared/bin/ldapsearch -o mech=GSSAPI -h blade -p 389 -o realm="quark.co.in" -o authzid="test@QUARK.CO.IN" -b "ou=people,dc=quark,dc=co,dc=in" objectclass=* runs well So I know that I do not have installing probs. Though I am abl to get the ticket still error.txt(attaches is the output) $klist Ticket cache: /tmp/krb5cc_1023 Default principal: test@QUARK.CO.IN Valid starting Expires Service principal Fri Feb 27 20:22:14 2004 Sat Feb 28 04:22:14 2004 krbtgt/QUARK.CO.IN@QUARK.CO.IN Fri Feb 27 20:26:52 2004 Sat Feb 28 04:22:14 2004 ldap/blade.quark.co.in@QUARK.CO.IN Any small hint shall also be of great use. ---------------------------Output at full log traceLevel----------------------------- ldap_open ldap_init nsldapi_open_ldap_connection nsldapi_connect_to_host: blade:389 sd 4 connected to: 10.91.198.100 ldap_open successful, ld_host is (null) LDAP service name: ldap@blade ==> client_establish_context Sending init_sec_context token (size=466)... 60 82 01 ce 06 09 2a 86 48 86 f7 12 01 02 02 01 00 6e 82 01 bd 30 82 01 b9 a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 01 01 61 81 fe 30 81 fb a0 03 02 01 05 a1 0d 1b 0b 51 55 41 52 4b 2e 43 4f 2e 49 4e a2 24 30 22 a0 03 02 01 03 a1 1...

Authenticate Using Multiple LDAPs Sun One Web Server
I am wondering if it is possible to configure Sun One Web Server to authenticate users against more than one LDAP server. For example, if a user is in either one of two LDAP servers (active directory or Aphelion), they will be granted access to the web site. B Dolley wrote: > I am wondering if it is possible to configure Sun One Web Server to > authenticate users against more than one LDAP server. For example, if > a user is in either one of two LDAP servers (active directory or > Aphelion), they will be granted access to the web site. Dear Mr. B :-) I'm not familiar with aph...

Forcing the use of kerberos by ldap clients when connecting to an openldap server
Hello all, I have an openldap server that successfully authenticates against a kerberos setup: [jamie@janeiro ~]$ ldapwhoami -Y GSSAPI SASL/GSSAPI authentication started SASL username: jamie@example.com SASL SSF: 56 SASL installing layers dn:uid=jamie,ou=people,dc=example,dc=com Result: Success (0) When I do not put -Y GSSAPI in, I get: [jamie@janeiro ~]$ ldapwhoami ldap_sasl_interactive_bind_s: No such object (32) Is it possible to force the client or server to use GSSAPI for authentication, so I don't need to write it every time. In my slapd.conf file I have: TLSCertificateFile /etc/openldap/cacerts/newcert.pem TLSCertificateKeyFile /etc/openldap/cacerts/newreq.pem .... sasl-secprops noanonymous,noplain,noactive saslRegexp uid=([^/]*),cn=GSSAPI,cn=auth uid= $1,ou=people,dc=example,dc=com In particular this sasl-secprops is (according to the website I pilfered that line off) in theory will force the use of GSSAPI, but in practice it doesn't. The reason I wish to force GSSAPI is to make a java app I need to interoperate with use the right mechanism (i.e. GSSAPI), and hence authenticate against kerberos via LDAP rather than authenticate against ldap only. Thanks for any help. Jamie Actually I'm a putz, What I was trying to do would never have worked! authentication against LDAP using GSSAPI requires the user to have already signed into a kerberos realm and have a token. In my setup, that token was not available (the user never signs in), hence it'...

Changing master key (Kerberos authentication server+LDAP database)
Is it possible to change the master key of a realm when LDAP is used as the database server? The stash file is not present since LDAP is used. Appreciate any help on this. Thanks, Anubha ...

Authenticating Mac OSX 10.3.X to Kerberos using LDAP.
Hi, I am trying to allow students in the Mac lab to authenticate at the login prompt to Kerberos using LDAP. I followed the instructions on various web sites but the only way that I was able to log in with a valid kerberos username and password was if I created a local account with the same short uid name. I would like to avoid having to create local accounts and allow any student who has a valid keberos username and password to be able to login. We are not using AFS. Is there another way do this? I would appreciate any help you can provide. Thank you in advance and I look forward to hearing from you. Darin Pemberton Technical Specialist Barnard College, Columbia University. dpembert@barnard.edu, dp2128@columbia.edu 212-854-9096 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos On 2005-07-20 10:55:51 -0500, dpembert@barnard.edu (Darin Pemberton) said: > Hi, > I am trying to allow students in the Mac lab to authenticate at > the login prompt to Kerberos using LDAP. I followed the instructions > on various web sites but the only way that I was able to log in with a > valid kerberos username and password was if I created a local account > with the same short uid name. There's a big misunderstanding. Authenticating over Kerberos using LDAP?? Why? Why not using just Kerberos? LDAP can be used for information retrieval like home...

ldap used with Kerberos and squid
Am developing a security system for which am looking at using ldap and kerberos to achieve authentication and authorization.Now i have a prob that i want single user 4 which i wanted to use radius server but its not for a single user. Wats the way foward...

VPN using Kerberos authentication
I'm trying to set up the Cisco VPN on a PIX 515e, running 7.0(4)2 to use Kerberos authentication (via our Windows 2000 Server), using the Cisco VPN client. I got the VPN to work with both the local authentication (the local user database on the PIX), and with NT authentication, but what we really want is to use Kerberos authentication. I set up the VPN using the ASDM VPN Wizard, which seems to work great, other than this Kerberos issue, and so I'll only list the parameters (and the responses I give) on the Wizard page that deals with AAA. Field on the VPN wizard ...

Authentication with Kerberos & LDAP
Hello, I'm looking for material written about authenticating users in an LDAP directory with Kerberos. I would for example want to log into serveral servers via say SSH with an account present in an LDAP directory, and have this be authenticated with Kerberos. I've seen some half finished documents about this, mostly in linux environments, but nothings really good. Much appreciated if someone could point me in a direction. /Paul ...

Using Solaris 10 built in Kerberos support with Kerberos application
In an attempt to use vendor provided Kerberos support where possible, we have been able to use the Solaris 10 Kerberos and the Solaris provided kinit, pam_krb5 and ssh or any application that uses Kerberos via GSSAPI. But we have a number of other Kerberos applications, including qpop for Kerberized pop service, aklog with OpenAFS and kerberized CVS. The problem is that Solaris only exposes Kerberos via GSSAPI, and does not provide the krb5.h files or the normal Kerberos libraries. *What I would like to ask SUN is to include the krb5.h and its friends with the Solaris 10 base system.* To get around this, http:/www.opesolaris.org/source/xref/usr/src/uts/common/gsspai/mechs/krb5/include has a krb5.h that appears to match the /usr/lib/gss/mech_krb5.so that comes with Solaris 10. (I actually downloaded the tarfile to get the header files.) I have managed to get qpop-4.0.5 and OpenAFS-1.4.0-RC1 aklog to compile and run using this krb5.h with some modification, and the MIT-1.4.1 profile.h and com_err.h. Some problems along the way: o mech_krb5.so has most of the Kerberos routines and can be used as a shared library, but is clumsy to link as its not a "libxxx" o The opensolaris krb5.h is not guaranteed to match the mech_krb5.so o The krb5.h refers to profile.h which is not supplied. o Many of the Kerberos applications also use com_err.h which is not supplied. o There is no com_err add_error_table. o Solaris does not have krb524. So aklo...

Linux authentication using Kerberos and AD
I am trying to establish single sign on using linux,AD and Kerberos. I have created a test account in AD which does not exist in either local files or NIS. I have created a ketyab file and imported it on my linux box, configured both /etc/krb5.conf and /etc/pam.conf for my Reakm and Kerberos. I can use kinit to authenticate my test account and can see the TGTfor my test account as the security principle with klist. However I can't see the test account with getent passwd which may explain why I can't logon as the test account. The pam_krb5 error indicates it can't get a uid/gid. I can authenticate if I put a corresponding account in /etc/passwd or NIS but thus defeats the point if the exercise. Can anyone suggest what I may have missed and what needs to be edited in order for getent passwd to work? Kevin Gallagher Network Services Group C & IT Edinburgh Scotland ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Using ssh-keys for kerberos authentication
Hi! I'm wondering wether it is (at least theoretically) feasible to use a ssh-key to get kerberos tokens!? This is fairly important to me, since filesystems such as coda, afs of nfsv4 depend on kerberos-authentication to access the filespace. Patches for ssh exist that pass the token before trying to acces ..ssh/authorized_keys , but what if one doesn't even have tokens? Thanks in advance, Michael ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos >>>>> "Michael" == Michael Tautschnig <michael.tautschnig@zt-consulting.com> writes: Michael> Hi! I'm wondering wether it is (at least theoretically) Michael> feasible to use a ssh-key to get kerberos tokens!? This Michael> is fairly important to me, since filesystems such as Michael> coda, afs of nfsv4 depend on kerberos-authentication to Michael> access the filespace. It is theoretically possible. You would need to modify the Kerberos KDC to support this. Why not just use Kerberos authentication at the ssh layer though. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos > > Michael> Hi! I'm wondering wether it is (at least theoretically) > Michael> feasible to use a ssh-key to get kerberos tokens!? This > Michael>...

Using Kerberos Authentication for SSH Login
I am having hard time using Kerberos Authentication method for SSH login on Red Hat Advance Server 3.0. Basically I am trying to authenticate against MS AD, I was able to configure /etc/krb5.conf and create Kerberos ticket w/out any error message and I can telnet and login via console using my MS AD login and password. But the only problem I am having is ssh login, it is not working smoothly for me. If someone has encounter similar problem please let me know, I would appreciate all the help I can get. Thanks, ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos ...

Kerberos vs. LDAP for authentication -- any opinions?
At the risk of starting a religious war.... We currently use Kerberos for authentication for almost everything on our network. Some people here are advocating switching to using LDAP for authentication (we already have a pretty well developed LDAP infrastructure). This would of course require everyone to change their password as well the trauma of recoding applications that currently use Kerberos and haven't been converted to using PAM. Anyone have any pointers to information about the relative merits of using Kerberos or LDAP for authentication in a large heterogeneous environment? Any info is, of course, greatly appreciated. - C -- Email: cyberp70@yahoo.com LDAP is not an authentication infrastructure. All you are doing with LDAP is providing a database of usernames and passwords which is accessible over the network. Your users must then transmit said usernames and passwords across the network to a potentially compromised machine in order for them to be validated against the copies stored in LDAP. To me this approach is unacceptable. cyberp70@yahoo.com wrote: > At the risk of starting a religious war.... > > We currently use Kerberos for authentication for almost everything > on our network. Some people here are advocating switching to using > LDAP for authentication (we already have a pretty well developed LDAP > infrastructure). This would of course require everyone to change > their password as well the trauma of recoding applicat...

Problem using Kerberos for user authentication
I'm trying to get off the ground setting up Kerberos on a Fedora 11 box. I've attempted to follow the instructions here: http://aput.net/~jheiss/krbldap/howto.html "kinit username/admin" appears to work. But I can't get system logins to work. I've used the authconfig-tui utility to enable Kerberos for authentication; /etc/pam.d/system-auth looks like this: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth ...

Kerberos authentication between XP and 2000 server
Hi, I am trying to use Windows 2000 server as KDC for an XP machine.I read that, by default if the 2000 server is configured as DC,kerberos is used as authentication method by default.I am not able to authenticate using Kerberos. Steps done: I have configured the windows 2000 server as DC and added the XP as computer to it and also added a user. I am able to login to the DC. I have downloaded the ktray tools from the microsoft site. On DC, when I use the ktray tool,I can see the client name: Administrator@MYDOMAIN.COM service name: krbtgt/MYDOMAIN.COM@MYDOMAIN.COM taget name : krbtgt/MYDOMAIN.COM@MYDOMAIN.COM On XP, I see nothing :( Can any body please say what could be the problem ? Thanks. The very first thing to check is DNS. You must have valid fully qualified domain names for your XP and 2000 Server machines or the Kerberos authentication will fail and the workstation will fallback to NTLM. mdj_frend@yahoo.com wrote: > Hi, > > I am trying to use Windows 2000 server as KDC for an XP machine.I read > that, by default if the 2000 server is configured as DC,kerberos is > used as authentication method by default.I am not able to authenticate > using Kerberos. > > Steps done: > I have configured the windows 2000 server as DC and added the XP > as computer to it and also added a user. I am able to login to the DC. > I have downloaded the ktray tools from the microsoft site. > > On DC, when I use the ktray tool,I can see the...

replacing Heimdal with MIT Kerberos, and Kerberos key attributes in LDAP back-end
Hi all Since we are migrating from Debian to RedHat, we are considering replacing our Heimdal Kerberos server (with LDAP back-end) with an MIT Kerberos server (again with LDAP back-end) since RedHat packages are only available for MIT Kerberos. In order to make this migration/upgrade as transparent as possible for our users, we want to convert all the necessary info in the Heimdal back-end to the MIT back-end. Are there any pointers available for this kind of operation? E.g. things like conversion tables mapping the corresponding Kerberos-specific LDAP attributes? Or even scripts? I'm especially looking at the Kerberos key attributes, i.e. - Heimdal: krb5Key - MIT: krbPrincipalKey Is it possible to convert the former into the latter? Is there any code available for this operation? If not, we would have to require all our users to change their passwords at the same time, which is not very feasible. Thanks in advance Bart ...

RE: Linux authentication using Kerberos and AD
Also, I believe that you must either put the user into NIS or the local files, you do not have to have a shadow entry in local files. I have not tried via NIS yet. On the MS side you do not need AD4Unix. You need to install the current service packs, if 2000 you need the high encryption pack, and Microsoft services for UNIX 3.5 I think is the current version. In the AD user management tool you need to go to the UNIX tab and add that user to NIS. Make sure the uid and gid match what you put into the passwd file. On your Linux client you need a ldap.conf something like this... host yourhost base dc=your,dc=ad,dc=domain ldap_version 3 binddn cn=yourldapauthorizedaccount,cn=Users,dc=your,dc=ad,dc=domain bindpw aboveuserspw pam_password ad nss_map_objectclass posixAccount User nss_map_objectclass shadowAccount User nss_map_attribute uid msSFU30Name nss_map_attribute uniqueMember member nss_map_attribute userPassword msSFU30Password nss_map_attribute homeDirectory msSFU30HomeDirectory nss_map_objectclass posixGroup group nss_map_attribute uidNumber msSFU30UidNumber nss_map_attribute gidNumber msSFU30GidNumber nss_map_attribute gecos displayName nss_map_attribute loginShell msSFU30LoginShell pam_login_attribute msSFU30Name pam_filter objectclass=User You need to configure your files in /etc/pam.d properly You need to add ldap to /etc/nsswitch.conf Of course you have to setup krb5.conf kdc.conf -----Original Message----- From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mi...

Creating a Kerberos user principal using LDAP
Given a KDC using the LDAP backend, has anyone created a stand alone tool to create user principals by directly adding a LDAP entry? Apparently the difficultly is correctly creating the ASN.1 encoded key attribute (krbPrincipalkey) which is harder still because of the need to encrypt it using the master key (krbMKey). In the LDAP world, it isn't unusual that the password attribute value is generated with a special tool (unless the plaintext password is used). I think two tools would be interesting. 1. A tool that only spits out the krbPrincipalkey attribute on STDOUT. 2. A tool that creates the whole user principal including the krbPrincipalkey. More specifically, I would like some perl or python code that I include in a larger project. If either tools has not been created, there is code from the FreeIPA project, inside ipa_pwd_extop.c (see http://tinyurl.com/cfu63x) that fetches the master key and properly create the ASN.1 encoded key. That code could be used as a starting point or inspiration. Dax Kelson Guru Labs Dax Kelson wrote: > If either tools has not been created, there is code from the FreeIPA > project, inside ipa_pwd_extop.c (see http://tinyurl.com/cfu63x) that > fetches the master key and properly create the ASN.1 encoded key. That > code could be used as a starting point or inspiration. Security wise catching the modify password extended operation at the LDAP server's side is IMHO the right thing to do. FreeIPA does that for Fedor...

How to make LDAP data needed for Kerberos authentication
Hi, When I use the style of combination with Kerberos and OpenLDAP, I try to write java-codes with Novell LDAP Classes for Java to entry LDAP data needed for Kerberos authentication. Please tell me how to make LDAP data needed for Kerberos authentication or pointer (URL, Document, etc) to information for this purpose. Regards, --Shigeru -- Shigeru Ishida <ishida_shigeru@webgen.co.jp> INTEC Web and Genome Informatics Corporation. ISL BLDG 2F, 3-23 Shimoshin Town, Toyama City, Toyama., Japan, 930-0804 Web Site: www.webgen.co.jp ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos A list of useful links is here; http://swik.net/kerberos+LDAP+Java Shigeru Ishida wrote: > Hi, > > When I use the style of combination with Kerberos and OpenLDAP, > I try to write java-codes with Novell LDAP Classes for Java to > entry LDAP data needed for Kerberos authentication. > > Please tell me how to make LDAP data needed for Kerberos > authentication or pointer (URL, Document, etc) to information > for this purpose. > > Regards, > > --Shigeru > > -- > Shigeru Ishida <ishida_shigeru@webgen.co.jp> > INTEC Web and Genome Informatics Corporation. > ISL BLDG 2F, 3-23 Shimoshin Town, > Toyama City, Toyama., Japan, 930-0804 > Web Site: www.webgen.co.jp > > ________________________________________________ > Kerberos mail...

Web resources about - is that common to use kerberos authentication for SUN iplanet LDAP server? - comp.protocols.kerberos

Authentication - Wikipedia, the free encyclopedia
Authentication (from Greek : αὐθεντικός authentikos , "real, genuine," from αὐθέντης authentes , "author") is the act of confirming the truth ...

New Tools to Optimize App Authentication
At f8, we announced a redesigned Auth Dialog and a new authentication flow to give developers more control over people’s first experience with ...

Facebook Tells Some Developers They Have 48 Hours to Fix Authentication Data Leaks
... sent an email to what it calls a “very small percentage of the developer community” informing them their apps are suspected of leaking authentication ...

Lockdown - A better two-factor authentication experience on the App Store on iTunes
Get Lockdown - A better two-factor authentication experience on the App Store. See screenshots and ratings, and read customer reviews.


Sony Authentication Power Outlet Recognizes Users and Devices #DigInfo - YouTube
Sony Authentication Power Outlet Recognizes Users and Devices DigInfo TV - http://diginfo.tv 9/3/2012 NFC & Smart WORLD 2012 Sony Authentication ...

SafeNet brings Cloud-based authentication service to A/NZ
SafeNet has released its new Cloud-based authentication service, billed as Authentication-as-a-Service, in A/NZ.

Online account security: lazy authentication is still the norm
Even in the high-tech world of 2016, crims will be able to side-step your account security by making a phone call and saying they're you.

Digital authentication to become Google's next big focus
Streamlining the website login process a top priority, according to the company’s Australian business and consumer services manager Dan Metcalf. ...

ATO boosts service access via app and voice authentication
The ATO has announced it will extend its voice authentication system to its mobile app

Resources last updated: 3/10/2016 2:34:33 PM