Comments on: Integrating LDAP and Kerberos: Part One (Kerberos)

By: Discount Windows 7

Discount Windows 7 — Tue, 03 Jan 2012 19:16:15 +0000

I will right away take hold of your rss as I can’t find your e-mail subscription hyperlink or newsletter service. Do you have any? Kindly permit me understand in order that I could subscribe. Thanks.

By: racerx

racerx — Tue, 30 Nov 1999 00:00:00 +0000

Here again – I would love to see someone do an article on one-way syncing from Active Directory to and ldap server.

By: jmpoth

jmpoth — Tue, 30 Nov 1999 00:00:00 +0000

this is a very relevant article.

By: jbuurman

jbuurman — Tue, 30 Nov 1999 00:00:00 +0000

One-way syncing of AD is also an issue at my work. Love to read something more about that.

By: mlix

mlix — Tue, 30 Nov 1999 00:00:00 +0000

Actually as I know red hat is doing some project

freeipa.org I think will integrate DS and kerberos.

also it will support migrate from AD to IPA.

Cheers

By: bsdlogical

bsdlogical — Tue, 30 Nov 1999 00:00:00 +0000

While following this article (and Part Two), I finally managed to install Kerberos and OpenLDAP together. However, I ran into some problems with the howto posted here on the way. I’ve made an effort to describe how I fixed them as well as I can, and I hope it helps others attempting to do the same thing. I installed this on Ubuntu 8.04, and some of the corrections come from a partially finished guide at https://help.ubuntu.com/community/SingleSignOn. However, if I’ve inadvertently made any mistakes in these comments, please post that as well so others won’t be misled.

Problems/Comments in Part 1:
1) I had to run sudo dpkg-reconfigure krb5-kdc before starting up the KDC and admin server with /etc/init.d/krb5-admin-server start and /etc/init.d/krb5-kdc start. The answers to the questions in order were: Yes to Create Kerberos KDC configuration automatically, Disable Kerberos v4 compatibility mode, No to run a ticket conversion daemon, and No to purging data when krb5-kdc package is removed. See also #3.
2) There’s a significant problem in the example krb5.conf posted above that took me ages to figure out. There’s actually an equals sign missing after the default_realm parameter.
3) I also had to set up the database (by running kdb5_util, as well as everything in the Setting up the database section) before starting the KDC and admin server.
4) In Ubuntu, libsasl2-gssapi-mit is no longer available. It’s replaced by libsasl2-modules-gssapi-mit. I executed the following: apt-get install libpam-krb5 libsasl2-dev libsasl2-modules-gssapi-mit libsasl2-modules
5) I was not able to login as a principal I just added, even with the PAM configuration correct (under the Testing section). I had to get LDAP up and running first.

(continued in Part 2)

By: jwilleke

jwilleke — Tue, 30 Nov 1999 00:00:00 +0000

Please explain your statement: "...Kerberos is a massive security increase over LDAP authentication."

Thanks
-jim

By: dbmethods

dbmethods — Tue, 30 Nov 1999 00:00:00 +0000

I hope this can be more clear such as from start up.
Showing

$ hostname

$ ping or Kerberos utlilites

$ dnsdomainname

And how to set this up with MySQL to have single sign on on 2 nodes?
If I get errors, how to trace them and fix that.

By: opc0d3

opc0d3 — Tue, 30 Nov 1999 00:00:00 +0000

Nice article