7:48 p.m.
Hi everyone,
I have built up one server with Openldap, Cyrus SASL, MIT Kerberos V.
Now, my server can authenticate users.
In "Authentication Configuration", I set option information for LDAP server
and Kerberos server. And I could login with accounts (Kerberos principals)
which are created through Kerberos. And user information can be obtained
from LDAP server.
But it's seem to be only Openldap and Kerberos work with together.
I can't figure out what the SASL role is in this strategy. And how it
effects
on my system.
When I attempt setup phpldapadmin, I must configure SASL option, but I
don't know how SASL works with LDAP in this strategy ?
--
Le Trung Kien.
3:51 a.m.
On Mon, 2008-06-30 at 09:48 +0700, Le Trung Kien wrote:
Hi everyone,
I have built up one server with Openldap, Cyrus SASL, MIT Kerberos V.
Now, my server can authenticate users.
In "Authentication Configuration", I set option information for LDAP
server
and Kerberos server. And I could login with accounts (Kerberos
principals)
which are created through Kerberos. And user information can be
obtained
from LDAP server.
But it's seem to be only Openldap and Kerberos work with together.
I can't figure out what the SASL role is in this strategy. And how it
effects
on my system.
When I attempt setup phpldapadmin, I must configure SASL option, but I
don't know how SASL works with LDAP in this strategy ?
--
Le Trung Kien.
Hi,
regarding your setup the SASL can be usefull to let your users
authenticate to LDAP whith their kerberos password.
the SASL actually glues the authentication (Kerberos) whith the
authorization (LDAP).
how do your users authenticate to LDAP? do you have different passwords
on LDAP accounts and on Kerberos principals? in you do, then your SASL
glue (pass through authentication) is not set up properly.
M.
6:41 p.m.
As you know, on each client machine, I type "setup" and go in
"Authentication Configuration" then fill up information about kerberos and
ldap server.
And so, my users could login our Kerberos&LDAP system.
after login, users must get ticket to use ldap services by emit command :
"kinit" then type their kerberos password. After get their tickets, they can
use ldap services.
I have tested this with "ldapwhoami" and get the proper user information
(which belongs to ldap).
And I have only password on Kerberos for each user.
If I were wrong, please show me :)
Could you explain to me how SASL gets involved in this ?
thank you.
2008/6/30 Martin Simovic <msimovic(a)concurrent-thinking.com>:
On Mon, 2008-06-30 at 09:48 +0700, Le Trung Kien wrote:
> Hi everyone,
>
> I have built up one server with Openldap, Cyrus SASL, MIT Kerberos V.
> Now, my server can authenticate users.
> In "Authentication Configuration", I set option information for LDAP
> server
> and Kerberos server. And I could login with accounts (Kerberos
> principals)
> which are created through Kerberos. And user information can be
> obtained
> from LDAP server.
> But it's seem to be only Openldap and Kerberos work with together.
> I can't figure out what the SASL role is in this strategy. And how it
> effects
> on my system.
> When I attempt setup phpldapadmin, I must configure SASL option, but I
> don't know how SASL works with LDAP in this strategy ?
>
> --
> Le Trung Kien.
Hi,
regarding your setup the SASL can be usefull to let your users
authenticate to LDAP whith their kerberos password.
the SASL actually glues the authentication (Kerberos) whith the
authorization (LDAP).
how do your users authenticate to LDAP? do you have different passwords
on LDAP accounts and on Kerberos principals? in you do, then your SASL
glue (pass through authentication) is not set up properly.
M.
--
Le Trung Kien.
11:40 p.m.
"Le Trung Kien" <aloneattack(a)gmail.com> writes:
As you know, on each client machine, I type "setup" and go
in "Authentication
Configuration" then fill up information about kerberos and ldap server.
And so, my users could login our Kerberos&LDAP system.
after login, users must get ticket to use ldap services by emit command :
"kinit" then type their kerberos password. After get their tickets, they can
use ldap services.
I have tested this with "ldapwhoami" and get the proper user information
(which belongs to ldap).
And I have only password on Kerberos for each user.
If I were wrong, please show me :)
Could you explain to me how SASL gets involved in this ?
It is the SASL Mechanism GSSAPI that comes into the game. Your users
may connect to any network oriented service like smtp, imap, ldap by
calling the GSSAPI mechanism.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
12:57 a.m.
On Tue, 2008-07-01 at 08:41 +0700, Le Trung Kien wrote:
As you know, on each client machine, I type "setup" and go
in
"Authentication Configuration" then fill up information about kerberos
and ldap server.
And so, my users could login our Kerberos&LDAP system.
after login, users must get ticket to use ldap services by emit
command : "kinit" then type their kerberos password. After get their
tickets, they can use ldap services.
I have tested this with "ldapwhoami" and get the proper user
information (which belongs to ldap).
And I have only password on Kerberos for each user.
If I were wrong, please show me :)
Could you explain to me how SASL gets involved in this ?
OpenLDAP does not use Kerberos directly, instead it uses SASL. If your
LDAP server has a Kerberos service principal, and has the SASL GSSAPI
plugin installed and enabled, then the OpenLDAP client utilities will
try appropriate SASL mechanisms (if the user has a ticket).
So, you are using SASL to authenticate via Kerberos your users when
accessing the LDAP service.
Regards,
Buchan
3:02 a.m.
Hi, thank you, now I understand what happen underlying the process.
As you said, then saslauthd do no work in my case. It is just a SASL plugin
of
LDAP client works here.
And now, I have to configure phpldapadmin but I do not know what value I
should assign
to SASL realm option, and so on.
I assumed that I should have a saslauthd for authentication via Kerberos,
etc. But I am not
sure.
Please, could you give me some hint to using SASL in my case ?
thank you.
2008/7/1 Buchan Milne <bgmilne(a)staff.telkomsa.net>:
OpenLDAP does not use Kerberos directly, instead it uses SASL. If your
LDAP server has a Kerberos service principal, and has the SASL GSSAPI
plugin installed and enabled, then the OpenLDAP client utilities will
try appropriate SASL mechanisms (if the user has a ticket).
So, you are using SASL to authenticate via Kerberos your users when
accessing the LDAP service.
Regards,
Buchan
--
Le Trung Kien.
3:46 a.m.
On Tue, 2008-07-01 at 17:02 +0700, Le Trung Kien wrote:
Hi, thank you, now I understand what happen underlying the process.
As you said, then saslauthd do no work in my case. It is just a SASL
plugin of
LDAP client works here.
And now, I have to configure phpldapadmin but I do not know what value
I should assign
to SASL realm option, and so on.
I assumed that I should have a saslauthd for authentication via
Kerberos, etc. But I am not
sure.
Please, could you give me some hint to using SASL in my case ?
thank you.
2008/7/1 Buchan Milne <bgmilne(a)staff.telkomsa.net>:
OpenLDAP does not use Kerberos directly, instead it uses SASL.
If your
LDAP server has a Kerberos service principal, and has the SASL
GSSAPI
plugin installed and enabled, then the OpenLDAP client
utilities will
try appropriate SASL mechanisms (if the user has a ticket).
So, you are using SASL to authenticate via Kerberos your users
when
accessing the LDAP service.
Regards,
Buchan
how did you configure your ldap server + kerberos in first place? did
you use some kind of tool (YAST?) because it does not seem you know
exactly what you are doing (no offence here, it's quite complex stuff)
to resume it all:
you can bind to LDAP server two ways: - simple bind
- SASL bind
look at the simple bind as sending username/password in cleartext to the
server. (insecure if not over SSL/TLS)
SASL on other side can use any of supported mechanisms (DIGEST-MD5,
GSSAPI...)
in your case you use gssapi(kerberos).
if your ldap server is properly configured and you have
libsasl-modules-mit-gssapi (or whatever they call it on your distro)
installed you can bind to ldap server via gssapi (having previously
obtained the TGT ticket) the fact that ldapwhoami works means, that you
have the plugin, you have the ticket, you have the ldap kerberos
pricipal in keytab and the sasl-regexp is properly set up in slapd.conf
now comes the saslauthd into the game:
what if your application which requires authenticate to ldap does not
support SASL(GSSAPI) ? (most addressbooks like outlook, evolution.. does
not)
if your app can do only simple bind to ldap (username/password) you need
a mechanism to forward these to KDC and use the information it gives
back (authentication succeeded). this is what saslauth does. it acts as
the middle man between LDAP and kerberos KDC. this is also called
(according to openldap documentation) an pass-through authentication.
you only need it if you want to use simple (not SASL) binds to LDAP
using kerberos passwords.(SSL in this case is a must)
it's all very nicely described here:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%
20authentication
hope i made it a little bit clearer;
M.
--
Le Trung Kien.
1:59 a.m.
Hi, thank you.
Now, I know much more about SASL's role in my case.
I will read section which suggested.
I will try to configure phpldapadmin to understand more.
Is saslauthd need a realm?
If you have configure phpldapadmin with option
SASL chosen, then lucky me.
If you don't mind, I will come back soon and disturb all you
here more with this problem :)
Thank you all very much.
2008/7/1 Martin Simovic <msimovic(a)concurrent-thinking.com>:
On Tue, 2008-07-01 at 17:02 +0700, Le Trung Kien wrote:
> Hi, thank you, now I understand what happen underlying the process.
> As you said, then saslauthd do no work in my case. It is just a SASL
> plugin of
> LDAP client works here.
> And now, I have to configure phpldapadmin but I do not know what value
> I should assign
> to SASL realm option, and so on.
> I assumed that I should have a saslauthd for authentication via
> Kerberos, etc. But I am not
> sure.
> Please, could you give me some hint to using SASL in my case ?
>
> thank you.
>
>
>
> 2008/7/1 Buchan Milne <bgmilne(a)staff.telkomsa.net>:
>
>
> OpenLDAP does not use Kerberos directly, instead it uses SASL.
> If your
> LDAP server has a Kerberos service principal, and has the SASL
> GSSAPI
> plugin installed and enabled, then the OpenLDAP client
> utilities will
> try appropriate SASL mechanisms (if the user has a ticket).
>
> So, you are using SASL to authenticate via Kerberos your users
> when
> accessing the LDAP service.
>
> Regards,
> Buchan
>
>
how did you configure your ldap server + kerberos in first place? did
you use some kind of tool (YAST?) because it does not seem you know
exactly what you are doing (no offence here, it's quite complex stuff)
to resume it all:
you can bind to LDAP server two ways: - simple bind
- SASL bind
look at the simple bind as sending username/password in cleartext to the
server. (insecure if not over SSL/TLS)
SASL on other side can use any of supported mechanisms (DIGEST-MD5,
GSSAPI...)
in your case you use gssapi(kerberos).
if your ldap server is properly configured and you have
libsasl-modules-mit-gssapi (or whatever they call it on your distro)
installed you can bind to ldap server via gssapi (having previously
obtained the TGT ticket) the fact that ldapwhoami works means, that you
have the plugin, you have the ticket, you have the ldap kerberos
pricipal in keytab and the sasl-regexp is properly set up in slapd.conf
now comes the saslauthd into the game:
what if your application which requires authenticate to ldap does not
support SASL(GSSAPI) ? (most addressbooks like outlook, evolution.. does
not)
if your app can do only simple bind to ldap (username/password) you need
a mechanism to forward these to KDC and use the information it gives
back (authentication succeeded). this is what saslauth does. it acts as
the middle man between LDAP and kerberos KDC. this is also called
(according to openldap documentation) an pass-through authentication.
you only need it if you want to use simple (not SASL) binds to LDAP
using kerberos passwords.(SSL in this case is a must)
it's all very nicely described here:
http://www.openldap.org/doc/admin24/security.html#Pass-Through%
20authentication<http://www.openldap.org/doc/admin24/security.html#Pas...
hope i made it a little bit clearer;
M.
>
> --
> Le Trung Kien.
--
Le Trung Kien.
2:30 a.m.
Le Trung Kien wrote:
If you have configure phpldapadmin with option
SASL chosen, then lucky me.
SASL bind can be conducted with many different mechanisms. For Kerberos
V you have to configure SASL with mech GSSAPI. For this to fully work as
expected the entity binding to the LDAP server has to have obtained a
ticket granting ticket (TGT) before binding to the LDAP server.
If you invoked command-line tool kinit on your box then the TGT is
stored in a ticket cache tied to the system user who started kinit =>
this is likely not of much use in a centrally installed web gateway. My
web2ldap supports SASL/GSSAPI but using the end-user TGT requires
web2ldap to be started by this particular end-user.
Ciao, Michael.
5570
days inactive
5572
days old
openldap-technical@openldap.org
8 comments
5 participants
participants (5)
-
Buchan Milne -
Dieter Kluenter -
Le Trung Kien -
Martin Simovic -
Michael Ströder