Comments on: Integrating LDAP and Kerberos: Part Two (LDAP) http://www.linux-mag.com/id/4765/ Open Source, Open Standards Sun, 05 Jul 2009 01:37:28 +0000 http://wordpress.org/?v=2.0.11 by: captainmish http://www.linux-mag.com/id/4765/#comment-2238 Fri, 20 Mar 2009 15:33:24 +0000 http://www.linux-mag.com/id/4765/#comment-2238 Anyone know the answer to this? - it doesnt seem clear where the users "live" Anyone know the answer to this? - it doesnt seem clear where the users “live”

]]> by: capedcrusader http://www.linux-mag.com/id/4765/#comment-2185 Sun, 08 Mar 2009 20:49:20 +0000 http://www.linux-mag.com/id/4765/#comment-2185 So do users needed to be added to Kerberos and LDAP independently? With this setup, if I add an LDAP user, should it have a corresponding Kerberos principle automatically? So do users needed to be added to Kerberos and LDAP independently? With this setup, if I add an LDAP user, should it have a corresponding Kerberos principle automatically?

]]> by: grkm2002 http://www.linux-mag.com/id/4765/#comment-1927 Thu, 08 Jan 2009 00:37:38 +0000 http://www.linux-mag.com/id/4765/#comment-1927 Great outline. However, i am getting the following error when i try to use the following line: ldapadd -x -D "cn=admin,dc=ph,dc=ic,dc=ac,dc=uk" -W -f setup.ldif: ldap_bind: Invalid credentials (49) conn=0 fd=14 ACCEPT from IP=127.0.0.1:56098 (ip=0.0.0.0:389) conn=0 op=0 RESULT tag=97 err=49 text= Any help would be greatful. Was able to get everything else setup. Great outline. However, i am getting the following error when i try to use the following line:
ldapadd -x -D “cn=admin,dc=ph,dc=ic,dc=ac,dc=uk” -W -f setup.ldif:

ldap_bind: Invalid credentials (49)
conn=0 fd=14 ACCEPT from IP=127.0.0.1:56098 (ip=0.0.0.0:389)
conn=0 op=0 RESULT tag=97 err=49 text=

Any help would be greatful. Was able to get everything else setup.

]]> by: bsdlogical http://www.linux-mag.com/id/4765/#comment-1474 Thu, 11 Sep 2008 23:57:27 +0000 http://www.linux-mag.com/id/4765/#comment-1474 Just to clarify, in #4, the last sasl-regexp line should be one line - it should not be split up into two. Just to clarify, in #4, the last sasl-regexp line should be one line - it should not be split up into two.

]]> by: bsdlogical http://www.linux-mag.com/id/4765/#comment-1473 Thu, 11 Sep 2008 23:55:52 +0000 http://www.linux-mag.com/id/4765/#comment-1473 While following this article (and Part One), I finally managed to install Kerberos and OpenLDAP together. However, I ran into some problems with the howto posted here on the way. I've made an effort to describe how I fixed them as well as I can, and I hope it helps others attempting to do the same thing. I installed this on Ubuntu 8.04, and some of the corrections come from a partially finished guide at https://help.ubuntu.com/community/SingleSignOn. However, if I've inadvertently made any mistakes in these comments, please post that as well so others won't be misled. (Continued from Part 1) Problems/Comments in Part 2: 1) I had problems putting the slapd.access line before the suffix definition in slapd.conf, so I put it after. 2) I managed to get LDAP working without the krb5-kdc.schema, though perhaps that was more of an accident. 3) The installation scripts had already created a root DN, so I only added one that looked like: dn: ou=people,dc=domain,dc=com objectclass: organizationalUnit ou: people description: Users dn: uid=ldapadm,ou=people,dc=domain,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: LDAP admin account sn: LDAP Admin uid: ldapadm uidNumber: 1002 gidNumber: 100 homeDirectory: /etc/ldap loginShell: /bin/false 4) When I tried installing this setup on a different system, the sasl and authz lines given in the howto didn't work. I'm not sure why, and I haven't debugged further, but I had to use these instead: sasl-secprops noanonymous,noplain,noactive sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=People,dc=example,dc=com 5) I had to add apparmor profiles for slapd so it could access the files it needed. This is described in detail in https://bugs.launchpad.net/ubuntu/+source/openldap2.2/+bug/229252 6) The package name should be ldap-utils, not ldap_utils, in the Client setup section. 7) In Ubuntu, the configuration for libnss-ldap is actually in /etc/ldap.conf (which is NOT the same thing as /etc/ldap/ldap.conf - that's used by other client LDAP utilities, while /etc/ldap/slapd.conf is used by the slapd server) In addition to many useful sites out there is http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml While following this article (and Part One), I finally managed to install Kerberos and OpenLDAP together. However, I ran into some problems with the howto posted here on the way. I’ve made an effort to describe how I fixed them as well as I can, and I hope it helps others attempting to do the same thing. I installed this on Ubuntu 8.04, and some of the corrections come from a partially finished guide at https://help.ubuntu.com/community/SingleSignOn. However, if I’ve inadvertently made any mistakes in these comments, please post that as well so others won’t be misled.

(Continued from Part 1)

Problems/Comments in Part 2:
1) I had problems putting the slapd.access line before the suffix definition in slapd.conf, so I put it after.
2) I managed to get LDAP working without the krb5-kdc.schema, though perhaps that was more of an accident.
3) The installation scripts had already created a root DN, so I only added one that looked like:
dn: ou=people,dc=domain,dc=com
objectclass: organizationalUnit
ou: people
description: Users

dn: uid=ldapadm,ou=people,dc=domain,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: LDAP admin account
sn: LDAP Admin
uid: ldapadm
uidNumber: 1002
gidNumber: 100
homeDirectory: /etc/ldap
loginShell: /bin/false

4) When I tried installing this setup on a different system, the sasl and authz lines given in the howto didn’t work. I’m not sure why, and I haven’t debugged further, but I had to use these instead:
sasl-secprops noanonymous,noplain,noactive
sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=People,dc=example,dc=com

5) I had to add apparmor profiles for slapd so it could access the files it needed. This is described in detail in https://bugs.launchpad.net/ubuntu/+source/openldap2.2/+bug/229252

6) The package name should be ldap-utils, not ldap_utils, in the Client setup section.

7) In Ubuntu, the configuration for libnss-ldap is actually in /etc/ldap.conf (which is NOT the same thing as /etc/ldap/ldap.conf - that’s used by other client LDAP utilities, while /etc/ldap/slapd.conf is used by the slapd server)

In addition to many useful sites out there is http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml

]]> by: eagmunoz http://www.linux-mag.com/id/4765/#comment-1397 Tue, 19 Aug 2008 03:24:44 +0000 http://www.linux-mag.com/id/4765/#comment-1397 Maybe this what ur looking for man pam_krb5 Look /.k5login Maybe this what ur looking for
man pam_krb5

Look /.k5login

]]> by: jimmyjump75 http://www.linux-mag.com/id/4765/#comment-1382 Sat, 09 Aug 2008 04:00:45 +0000 http://www.linux-mag.com/id/4765/#comment-1382 Can I map the kerberos username to a different LDAP user? Does the name have to be the same in ldap as the kerberos principal? Specifically, can I authenticate with my kerberos credentials as user1@REALM and have that log me in as a local unix or NIS user after authentication? I cannot figure that part out!! I can authenticate fine with Kerberos but in order to login I need a matching user account name on the box or NIS or I get rejected. With winbind I can login using kerberos without having a local account but I have no control over the unix UID I am assigned and that is only good for shares anyway. What I am looking to accomplish is to authenticate using kerberos but have it log me in as a existing unix user. I know it is possible as on some of our AIX and Redhat boxes, we login with our Active directory (kerberos credentials) and after authenticating you are logged into the box as a local unix uid. I cannot figure out how to make this happen but am almost certain it is LDAP. The reason is we have an existing Unix infrastructure with permissions set up. Corporate IT wants the boxes joined to AD but when you log into the box with AD credentials the permissions do not match to my uid. Thanks James Can I map the kerberos username to a different LDAP user? Does the name have to be the same in ldap as the kerberos principal?
Specifically, can I authenticate with my kerberos credentials as user1@REALM and have that log me in as a local unix or NIS user after authentication? I cannot figure that part out!! I can authenticate fine with Kerberos but in order to login I need a matching user account name on the box or NIS or I get rejected. With winbind I can login using kerberos without having a local account but I have no control over the unix UID I am assigned and that is only good for shares anyway. What I am looking to accomplish is to authenticate using kerberos but have it log me in as a existing unix user. I know it is possible as on some of our AIX and Redhat boxes, we login with our Active directory (kerberos credentials) and after authenticating you are logged into the box as a local unix uid. I cannot figure out how to make this happen but am almost certain it is LDAP. The reason is we have an existing Unix infrastructure with permissions set up. Corporate IT wants the boxes joined to AD but when you log into the box with AD credentials the permissions do not match to my uid.
Thanks
James

]]> by: macomaciak http://www.linux-mag.com/id/4765/#comment-1213 Wed, 25 Jun 2008 12:49:19 +0000 http://www.linux-mag.com/id/4765/#comment-1213 anyone on the local network can bind to ldap server anonymously and get the list of all UID + GID's. this is absolutely ugly AND insecure. disclosing the UID information to everyone is just wrong concept. M. anyone on the local network can bind to ldap server anonymously and get the list of all UID + GID’s. this is absolutely ugly AND insecure. disclosing the UID information to everyone is just wrong concept.

M.

]]> by: nbensa http://www.linux-mag.com/id/4765/#comment-758 Mon, 14 Jan 2008 02:14:12 +0000 http://www.linux-mag.com/id/4765/#comment-758 I don't get the "kerberos security." What's the difference between ldap+kerberos and ldap+ssl+sasl+digest-md5? Thanks! Norberto I don’t get the “kerberos security.” What’s the difference between ldap+kerberos and ldap+ssl+sasl+digest-md5?

Thanks!

Norberto

]]> by: phantasm http://www.linux-mag.com/id/4765/#comment-755 Thu, 10 Jan 2008 19:42:07 +0000 http://www.linux-mag.com/id/4765/#comment-755 LDAP has been a wonderous change to our developers network this past year. After reading this, I believe Kerberos and LDAP combined will provide the added security we need to have in place. Thank you. LDAP has been a wonderous change to our developers network this past year. After reading this, I believe Kerberos and LDAP combined will provide the added security we need to have in place.

Thank you.

]]>