On Thursday, 9 December 2010 21:42:46 Thierry Lacoste wrote:
Hello,
I'm experimenting with integrating Kerberos and OpenLDAP following roughly http://wiki.mandriva.com/en/Projects/OpenLDAP_DIT
I'm using CentOS and Buchan Milne's repository (http://staff.telkomsa.net/packages/rhel5/ ) both for OpenLDAP and Heimdal.
I've almost succeeded except for password integration. It seems that the smbk5pwd module provided by openldap2.4- servers-2.4.22-1.el5 in /usr/lib/openldap2.4/smbpwd.so is built without kerberos support.
In Mandriva, the Kerberos implementation in the "main" repository is MIT Kerberos, while Heimdal is in contrib. As OpenLDAP is in main, it cannot depend on Heimdal, so by default we build smbk5pwd as smbpwd.so without Heimdal support, while we have a separate openldap-smbk5pwd package (providing smbk5pwd.so) in contrib which is built with Heimdal support.
However, I have had problems with this package on CentOS with my Heimdal packages (slapd would hang or crash on a password change on a Heimdal account with the module enabled), and due to problems in conjunction with ppolicy (krb5PasswordEnd not being updated), I don't use it myself on my CentOS deployment, but rather use the "use Samba passwords" feature.
With "smbk5pwd-enable krb5" I have the following error: /etc/openldap2.4/slapd.conf: line 154: smbk5pwd: <smbk5pwd-enable> module "smbk5pwd-enable" only allowed when compiled with -DDO_KRB5.
What is the easiest option to get a kerberos supporting smbk5pwd?
Untested (besides "it installs, it loads, slapd still runs), but built from the Mandriva openldap-smbk5pwd src.rpm:
http://staff.telkomsa.net/packages/rhel5/openldap2.4- smbk5pwd-2.4.21-4.el5.i386.rpm
1)Install ('rpm -Uvh http://staff.telkomsa.net/packages/rhel5/openldap2.4- smbk5pwd-2.4.21-4.el5.i386.rpm' or similar) 2)Change 'moduleload smbpwd.so' to 'moduleload smbk5pwd.so' 3)Restart slapd
Please let me know if this package works for you. If not, it might be time to update the heimdal packages (which I didn't do earlier due to regressions in the "use samba passwords" feature which I recently fixed in the Mandriva packages).
BTW I'd appreciate any recommandations about providing kerberos and LDAP authentication (with the same password) in a production setting. Should I use Heimdal or MIT kerberos ?
IMHO, Heimdal provides some advantages over MIT.
If Heimdal, is it better to use OpenLDAP as a backend for Kerberos or let Kerberos use its native backend?
There are some minor complications using hdb_ldap, but I feel the benefits outweigh them.
If OpenLDAP as a backend, is it better to use {K5KEY} as the userPassword or let smbk5pwd synchronize everything?
Depends on if you have any non-GSSAPI or simple-bind-to-LDAP-server-with- master-key authentication (e.g. MSCHAPv2).
Regards, Buchan