Authenticate user with Kerberos & LDAP-backend - Kerberos

This is a discussion on Authenticate user with Kerberos & LDAP-backend - Kerberos ; Hi All There is a Ldap server which store many user serving the authentication in my company. Now, I set up a Kerberos server to implement single-sign-on mechanism, after that I see some idea about Kerberos and LDAP backend. It ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Authenticate user with Kerberos & LDAP-backend

  1. Authenticate user with Kerberos & LDAP-backend

    Hi All

    There is a Ldap server which store many user serving the authentication in my company. Now, I set up a Kerberos server to implement single-sign-on mechanism, after that I see some idea about Kerberos and LDAP backend. It is great, I deploy it successfully on test server. But now, there is a thing I confuse: After using the LDAP-backend, can I use Kerberos to authenticate some services (SSH for example), LDAP to authenticate others services (FTP, HTTP, ... for example), and all attributes of user (cn,userPassword,... for example) to other usage, but user can change password by kpasswd tool ?

    Have anyone experienced this situation ? Please give me some idea and how to implement it.

    Thank you,
    Hung Ta
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Authenticate user with Kerberos & LDAP-backend

    Having been down this road, I can tell the you with complete confidence
    that... it depends.

    If the LDAP server is Active Directory, you can use LDAP or AD for
    authentication, and they'll both work with the same password.

    If you're using OpenLDAP and MIT Kerberos, it's a bit more of a problem,
    since you essentially end up with two sets of passwords, which is not
    pretty.

    If you're using PAM for everything, it's easier to get everything to use
    that instead. That way, you get SSO where applications support it, and
    where the don't, they still use the Kerberos back end via PAM. I did this
    for email, where none of the installed software supported Kerberos SSO.
    Once Kerberos was working properly (my fault, I explicitly ignored some of
    the strongly worded reccomendations in the admin mannual) it was pretty
    darn near bullet proof.

    The problem child is various applications that only support an LDAP
    backend, and can't be changed to use Kerberos directly.

    OpenLDAP used to have this thing where a given entry could contain a
    kerberos principle, and would do the look up for you. This has been
    removed for some reason, and now you have to use a saslauthd daemon.

    I strongly reccomend you don't use the CyrusSASL saslauthd daemon if you
    can avoid it. I'll say no more hear, my views on CyrusSASL are mostly
    unprintable. I never did manage to get it working with Kerberos though.

    I've had good luck with using the Dovecot sasl daemon with postfix, so
    it's very likely possible to do the same with LDAP. This is probably an
    abomination and 'the wrong thing to do', but it works without large
    amounts of head beating. Under Debian/Ubuntu, it's possible to only
    install the dovecot-common package, without the imapd/pop3d parts,
    although I haven't actually tried this.

    The other possible option is to patch all your password changing utilities
    to change multiple passwords. I've found that it works, until you need to
    change something, and then breaks all over again.

    Hope this is helpful,
    Edward Murrell


    > Hi All
    >
    > There is a Ldap server which store many user serving the authentication in
    > my company. Now, I set up a Kerberos server to implement single-sign-on
    > mechanism, after that I see some idea about Kerberos and LDAP backend. It
    > is great, I deploy it successfully on test server. But now, there is a
    > thing I confuse: After using the LDAP-backend, can I use Kerberos to
    > authenticate some services (SSH for example), LDAP to authenticate others
    > services (FTP, HTTP, ... for example), and all attributes of user
    > (cn,userPassword,... for example) to other usage, but user can change
    > password by kpasswd tool ?
    >
    > Have anyone experienced this situation ? Please give me some idea and how
    > to implement it.
    >
    > Thank you,
    > Hung Ta
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Authenticate user with Kerberos & LDAP-backend

    edward@murrell.co.nz writes:

    Hello,

    > OpenLDAP used to have this thing where a given entry could contain a
    > kerberos principle, and would do the look up for you. This has been
    > removed for some reason, and now you have to use a saslauthd daemon.
    >
    > I strongly reccomend you don't use the CyrusSASL saslauthd daemon if you
    > can avoid it. I'll say no more hear, my views on CyrusSASL are mostly
    > unprintable. I never did manage to get it working with Kerberos though.


    at our site, we use Kerberos as authentication service, LDAP as
    directory and as authentication source for services which can only
    authenticate against LDAP (Zope at the moment).

    The "userPassword" attribute of the users is set to
    "{SASL}@" so OpenLDAP uses the saslauthd which is
    configured with Kerberos as backend.

    It works (although it's a bit convoluted); for password changing we have
    to use only the pam_krb5 module. Since our setup was installed when
    Dovecot hasn't been available, we use the Cyrus SASL library.


    Sebastian

+ Reply to Thread