Hi everyone,
I have built up one server with Openldap, Cyrus SASL, MIT Kerberos V. Now, my server can authenticate users. In "Authentication Configuration", I set option information for LDAP server and Kerberos server. And I could login with accounts (Kerberos principals) which are created through Kerberos. And user information can be obtained from LDAP server. But it's seem to be only Openldap and Kerberos work with together. I can't figure out what the SASL role is in this strategy. And how it effects on my system. When I attempt setup phpldapadmin, I must configure SASL option, but I don't know how SASL works with LDAP in this strategy ?
On Mon, 2008-06-30 at 09:48 +0700, Le Trung Kien wrote:
Hi everyone,
I have built up one server with Openldap, Cyrus SASL, MIT Kerberos V. Now, my server can authenticate users. In "Authentication Configuration", I set option information for LDAP server and Kerberos server. And I could login with accounts (Kerberos principals) which are created through Kerberos. And user information can be obtained from LDAP server. But it's seem to be only Openldap and Kerberos work with together. I can't figure out what the SASL role is in this strategy. And how it effects on my system. When I attempt setup phpldapadmin, I must configure SASL option, but I don't know how SASL works with LDAP in this strategy ?
-- Le Trung Kien.
Hi,
regarding your setup the SASL can be usefull to let your users authenticate to LDAP whith their kerberos password. the SASL actually glues the authentication (Kerberos) whith the authorization (LDAP).
how do your users authenticate to LDAP? do you have different passwords on LDAP accounts and on Kerberos principals? in you do, then your SASL glue (pass through authentication) is not set up properly.
M.
As you know, on each client machine, I type "setup" and go in "Authentication Configuration" then fill up information about kerberos and ldap server. And so, my users could login our Kerberos&LDAP system.
after login, users must get ticket to use ldap services by emit command : "kinit" then type their kerberos password. After get their tickets, they can use ldap services. I have tested this with "ldapwhoami" and get the proper user information (which belongs to ldap). And I have only password on Kerberos for each user. If I were wrong, please show me :) Could you explain to me how SASL gets involved in this ?
thank you.
2008/6/30 Martin Simovic msimovic@concurrent-thinking.com:
On Mon, 2008-06-30 at 09:48 +0700, Le Trung Kien wrote:
Hi everyone,
I have built up one server with Openldap, Cyrus SASL, MIT Kerberos V. Now, my server can authenticate users. In "Authentication Configuration", I set option information for LDAP server and Kerberos server. And I could login with accounts (Kerberos principals) which are created through Kerberos. And user information can be obtained from LDAP server. But it's seem to be only Openldap and Kerberos work with together. I can't figure out what the SASL role is in this strategy. And how it effects on my system. When I attempt setup phpldapadmin, I must configure SASL option, but I don't know how SASL works with LDAP in this strategy ?
-- Le Trung Kien.
Hi,
regarding your setup the SASL can be usefull to let your users authenticate to LDAP whith their kerberos password. the SASL actually glues the authentication (Kerberos) whith the authorization (LDAP).
how do your users authenticate to LDAP? do you have different passwords on LDAP accounts and on Kerberos principals? in you do, then your SASL glue (pass through authentication) is not set up properly.
M.
"Le Trung Kien" aloneattack@gmail.com writes:
As you know, on each client machine, I type "setup" and go in "Authentication Configuration" then fill up information about kerberos and ldap server. And so, my users could login our Kerberos&LDAP system.
after login, users must get ticket to use ldap services by emit command : "kinit" then type their kerberos password. After get their tickets, they can use ldap services. I have tested this with "ldapwhoami" and get the proper user information (which belongs to ldap). And I have only password on Kerberos for each user. If I were wrong, please show me :) Could you explain to me how SASL gets involved in this ?
It is the SASL Mechanism GSSAPI that comes into the game. Your users may connect to any network oriented service like smtp, imap, ldap by calling the GSSAPI mechanism.
-Dieter
On Tue, 2008-07-01 at 08:41 +0700, Le Trung Kien wrote:
As you know, on each client machine, I type "setup" and go in "Authentication Configuration" then fill up information about kerberos and ldap server. And so, my users could login our Kerberos&LDAP system.
after login, users must get ticket to use ldap services by emit command : "kinit" then type their kerberos password. After get their tickets, they can use ldap services. I have tested this with "ldapwhoami" and get the proper user information (which belongs to ldap). And I have only password on Kerberos for each user. If I were wrong, please show me :) Could you explain to me how SASL gets involved in this ?
OpenLDAP does not use Kerberos directly, instead it uses SASL. If your LDAP server has a Kerberos service principal, and has the SASL GSSAPI plugin installed and enabled, then the OpenLDAP client utilities will try appropriate SASL mechanisms (if the user has a ticket).
So, you are using SASL to authenticate via Kerberos your users when accessing the LDAP service.
Regards, Buchan
Hi, thank you, now I understand what happen underlying the process. As you said, then saslauthd do no work in my case. It is just a SASL plugin of LDAP client works here. And now, I have to configure phpldapadmin but I do not know what value I should assign to SASL realm option, and so on. I assumed that I should have a saslauthd for authentication via Kerberos, etc. But I am not sure. Please, could you give me some hint to using SASL in my case ?
thank you.
2008/7/1 Buchan Milne bgmilne@staff.telkomsa.net:
OpenLDAP does not use Kerberos directly, instead it uses SASL. If your LDAP server has a Kerberos service principal, and has the SASL GSSAPI plugin installed and enabled, then the OpenLDAP client utilities will try appropriate SASL mechanisms (if the user has a ticket).
So, you are using SASL to authenticate via Kerberos your users when accessing the LDAP service.
Regards, Buchan
On Tue, 2008-07-01 at 17:02 +0700, Le Trung Kien wrote:
Hi, thank you, now I understand what happen underlying the process. As you said, then saslauthd do no work in my case. It is just a SASL plugin of LDAP client works here. And now, I have to configure phpldapadmin but I do not know what value I should assign to SASL realm option, and so on. I assumed that I should have a saslauthd for authentication via Kerberos, etc. But I am not sure. Please, could you give me some hint to using SASL in my case ?
thank you.
2008/7/1 Buchan Milne bgmilne@staff.telkomsa.net:
OpenLDAP does not use Kerberos directly, instead it uses SASL. If your LDAP server has a Kerberos service principal, and has the SASL GSSAPI plugin installed and enabled, then the OpenLDAP client utilities will try appropriate SASL mechanisms (if the user has a ticket). So, you are using SASL to authenticate via Kerberos your users when accessing the LDAP service. Regards, Buchan
how did you configure your ldap server + kerberos in first place? did you use some kind of tool (YAST?) because it does not seem you know exactly what you are doing (no offence here, it's quite complex stuff)
to resume it all:
you can bind to LDAP server two ways: - simple bind - SASL bind
look at the simple bind as sending username/password in cleartext to the server. (insecure if not over SSL/TLS) SASL on other side can use any of supported mechanisms (DIGEST-MD5, GSSAPI...)
in your case you use gssapi(kerberos).
if your ldap server is properly configured and you have libsasl-modules-mit-gssapi (or whatever they call it on your distro) installed you can bind to ldap server via gssapi (having previously obtained the TGT ticket) the fact that ldapwhoami works means, that you have the plugin, you have the ticket, you have the ldap kerberos pricipal in keytab and the sasl-regexp is properly set up in slapd.conf
now comes the saslauthd into the game:
what if your application which requires authenticate to ldap does not support SASL(GSSAPI) ? (most addressbooks like outlook, evolution.. does not)
if your app can do only simple bind to ldap (username/password) you need a mechanism to forward these to KDC and use the information it gives back (authentication succeeded). this is what saslauth does. it acts as the middle man between LDAP and kerberos KDC. this is also called (according to openldap documentation) an pass-through authentication. you only need it if you want to use simple (not SASL) binds to LDAP using kerberos passwords.(SSL in this case is a must)
it's all very nicely described here: http://www.openldap.org/doc/admin24/security.html#Pass-Through% 20authentication
hope i made it a little bit clearer;
M.
-- Le Trung Kien.
Hi, thank you. Now, I know much more about SASL's role in my case. I will read section which suggested. I will try to configure phpldapadmin to understand more. Is saslauthd need a realm? If you have configure phpldapadmin with option SASL chosen, then lucky me. If you don't mind, I will come back soon and disturb all you here more with this problem :)
Thank you all very much.
2008/7/1 Martin Simovic msimovic@concurrent-thinking.com:
On Tue, 2008-07-01 at 17:02 +0700, Le Trung Kien wrote:
Hi, thank you, now I understand what happen underlying the process. As you said, then saslauthd do no work in my case. It is just a SASL plugin of LDAP client works here. And now, I have to configure phpldapadmin but I do not know what value I should assign to SASL realm option, and so on. I assumed that I should have a saslauthd for authentication via Kerberos, etc. But I am not sure. Please, could you give me some hint to using SASL in my case ?
thank you.
2008/7/1 Buchan Milne bgmilne@staff.telkomsa.net:
OpenLDAP does not use Kerberos directly, instead it uses SASL. If your LDAP server has a Kerberos service principal, and has the SASL GSSAPI plugin installed and enabled, then the OpenLDAP client utilities will try appropriate SASL mechanisms (if the user has a ticket). So, you are using SASL to authenticate via Kerberos your users when accessing the LDAP service. Regards, Buchanhow did you configure your ldap server + kerberos in first place? did you use some kind of tool (YAST?) because it does not seem you know exactly what you are doing (no offence here, it's quite complex stuff)
to resume it all:
you can bind to LDAP server two ways: - simple bind - SASL bind
look at the simple bind as sending username/password in cleartext to the server. (insecure if not over SSL/TLS) SASL on other side can use any of supported mechanisms (DIGEST-MD5, GSSAPI...)
in your case you use gssapi(kerberos).
if your ldap server is properly configured and you have libsasl-modules-mit-gssapi (or whatever they call it on your distro) installed you can bind to ldap server via gssapi (having previously obtained the TGT ticket) the fact that ldapwhoami works means, that you have the plugin, you have the ticket, you have the ldap kerberos pricipal in keytab and the sasl-regexp is properly set up in slapd.conf
now comes the saslauthd into the game:
what if your application which requires authenticate to ldap does not support SASL(GSSAPI) ? (most addressbooks like outlook, evolution.. does not)
if your app can do only simple bind to ldap (username/password) you need a mechanism to forward these to KDC and use the information it gives back (authentication succeeded). this is what saslauth does. it acts as the middle man between LDAP and kerberos KDC. this is also called (according to openldap documentation) an pass-through authentication. you only need it if you want to use simple (not SASL) binds to LDAP using kerberos passwords.(SSL in this case is a must)
it's all very nicely described here: http://www.openldap.org/doc/admin24/security.html#Pass-Through% 20authenticationhttp://www.openldap.org/doc/admin24/security.html#Pass-Through%20authentication
hope i made it a little bit clearer;
M.
-- Le Trung Kien.
Le Trung Kien wrote:
If you have configure phpldapadmin with option SASL chosen, then lucky me.
SASL bind can be conducted with many different mechanisms. For Kerberos V you have to configure SASL with mech GSSAPI. For this to fully work as expected the entity binding to the LDAP server has to have obtained a ticket granting ticket (TGT) before binding to the LDAP server.
If you invoked command-line tool kinit on your box then the TGT is stored in a ticket cache tied to the system user who started kinit => this is likely not of much use in a centrally installed web gateway. My web2ldap supports SASL/GSSAPI but using the end-user TGT requires web2ldap to be started by this particular end-user.
Ciao, Michael.
openldap-technical@openldap.org
-
Buchan Milne -
Dieter Kluenter -
Le Trung Kien -
Martin Simovic -
Michael Ströder