Comments on: Integrating LDAP and Kerberos: Part Two (LDAP)

By: phantasm

phantasm — Tue, 30 Nov 1999 00:00:00 +0000

LDAP has been a wonderous change to our developers network this past year. After reading this, I believe Kerberos and LDAP combined will provide the added security we need to have in place.

Thank you.

By: nbensa

nbensa — Tue, 30 Nov 1999 00:00:00 +0000

I don't get the "kerberos security." What's the difference between ldap+kerberos and ldap+ssl+sasl+digest-md5?

Thanks!

Norberto

By: macomaciak

macomaciak — Tue, 30 Nov 1999 00:00:00 +0000

anyone on the local network can bind to ldap server anonymously and get the list of all UID + GID’s. this is absolutely ugly AND insecure. disclosing the UID information to everyone is just wrong concept.

By: jimmyjump75

jimmyjump75 — Tue, 30 Nov 1999 00:00:00 +0000

Can I map the kerberos username to a different LDAP user? Does the name have to be the same in ldap as the kerberos principal?
Specifically, can I authenticate with my kerberos credentials as user1@REALM and have that log me in as a local unix or NIS user after authentication? I cannot figure that part out!! I can authenticate fine with Kerberos but in order to login I need a matching user account name on the box or NIS or I get rejected. With winbind I can login using kerberos without having a local account but I have no control over the unix UID I am assigned and that is only good for shares anyway. What I am looking to accomplish is to authenticate using kerberos but have it log me in as a existing unix user. I know it is possible as on some of our AIX and Redhat boxes, we login with our Active directory (kerberos credentials) and after authenticating you are logged into the box as a local unix uid. I cannot figure out how to make this happen but am almost certain it is LDAP. The reason is we have an existing Unix infrastructure with permissions set up. Corporate IT wants the boxes joined to AD but when you log into the box with AD credentials the permissions do not match to my uid.
Thanks
James

By: eagmunoz

eagmunoz — Tue, 30 Nov 1999 00:00:00 +0000

Maybe this what ur looking for
man pam_krb5

Look /.k5login

By: bsdlogical

bsdlogical — Tue, 30 Nov 1999 00:00:00 +0000

While following this article (and Part One), I finally managed to install Kerberos and OpenLDAP together. However, I ran into some problems with the howto posted here on the way. I’ve made an effort to describe how I fixed them as well as I can, and I hope it helps others attempting to do the same thing. I installed this on Ubuntu 8.04, and some of the corrections come from a partially finished guide at https://help.ubuntu.com/community/SingleSignOn. However, if I’ve inadvertently made any mistakes in these comments, please post that as well so others won’t be misled.

(Continued from Part 1)

Problems/Comments in Part 2:
1) I had problems putting the slapd.access line before the suffix definition in slapd.conf, so I put it after.
2) I managed to get LDAP working without the krb5-kdc.schema, though perhaps that was more of an accident.
3) The installation scripts had already created a root DN, so I only added one that looked like:
dn: ou=people,dc=domain,dc=com
objectclass: organizationalUnit
ou: people
description: Users

dn: uid=ldapadm,ou=people,dc=domain,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: LDAP admin account
sn: LDAP Admin
uid: ldapadm
uidNumber: 1002
gidNumber: 100
homeDirectory: /etc/ldap
loginShell: /bin/false

4) When I tried installing this setup on a different system, the sasl and authz lines given in the howto didn’t work. I’m not sure why, and I haven’t debugged further, but I had to use these instead:
sasl-secprops noanonymous,noplain,noactive
sasl-regexp uid=([^/]*),cn=GSSAPI,cn=auth uid=$1,ou=People,dc=example,dc=com

5) I had to add apparmor profiles for slapd so it could access the files it needed. This is described in detail in https://bugs.launchpad.net/ubuntu/+source/openldap2.2/+bug/229252

6) The package name should be ldap-utils, not ldap_utils, in the Client setup section.

7) In Ubuntu, the configuration for libnss-ldap is actually in /etc/ldap.conf (which is NOT the same thing as /etc/ldap/ldap.conf – that’s used by other client LDAP utilities, while /etc/ldap/slapd.conf is used by the slapd server)

In addition to many useful sites out there is http://research.imb.uq.edu.au/~l.rathbone/ldap/gssapi.shtml

By: bsdlogical

bsdlogical — Tue, 30 Nov 1999 00:00:00 +0000

Just to clarify, in #4, the last sasl-regexp line should be one line – it should not be split up into two.

By: grkm2002

grkm2002 — Tue, 30 Nov 1999 00:00:00 +0000

Great outline. However, i am getting the following error when i try to use the following line:
ldapadd -x -D "cn=admin,dc=ph,dc=ic,dc=ac,dc=uk" -W -f setup.ldif:

ldap_bind: Invalid credentials (49)
conn=0 fd=14 ACCEPT from IP=127.0.0.1:56098 (ip=0.0.0.0:389)
conn=0 op=0 RESULT tag=97 err=49 text=

Any help would be greatful. Was able to get everything else setup.

By: capedcrusader

capedcrusader — Tue, 30 Nov 1999 00:00:00 +0000

So do users needed to be added to Kerberos and LDAP independently? With this setup, if I add an LDAP user, should it have a corresponding Kerberos principle automatically?

By: captainmish

captainmish — Tue, 30 Nov 1999 00:00:00 +0000

Anyone know the answer to this? – it doesnt seem clear where the users “live”

By: mabu

mabu — Tue, 30 Nov 1999 00:00:00 +0000

>So do users needed to be added to Kerberos and LDAP independently?
I think according to this setup, you have got Kerberos users stored in the principal database for authentication. You also have entries in LDAP for authorization. But there does not seem to be any coupling. If you want the kerberos principals to reside in the directory, you will probably need the kerberos LDAP backend.