Hi,
I like kerberos - been using it for years at other sites.
New job - have LDAP, no kerberos.
I'd like to backend the existing LDAP server with kerberos - I have some hope as I've just ready this excellent article:
http://www.linux-mag.com/id/4765/
(free registration needed)
Traditionally, I would have probably have made LDAP open for browsing (no auth) and adapted PAM on the clients to do auth via kerberos.
However, I have a load of apps here that only know how to talk and auth against LDAP.
Am I right in thinking:
1) Once LDAP is backended with kerberos, that "LDAP authentication" can take place using either a) plain password via LDAP which auths to kerberos; b) GSSAPI (ie using a client side kerberos ticket from a previous kinit)
2) Can I migrate users piecemeal, eg remove their LDAP psswords one by one and (possibly tweaking something on the LDAP directory) have those users auth through to kerberos, while other users auth to the LDAP directory, until everyone is moved?
Please excuse the dumbness - I know kerberos, I am just learning LDAP.
Or is this going to have to be a big-bang switchover?
Cheers
Tim
On Mon, 26 Sep 2011 09:05:31 +0100, Tim Watts wrote:
- Once LDAP is backended with kerberos
I haven't been paying attention the last couple of years, but this used to be a bad idea (primarily because it's easy to get auth loops ?).
In either case, you can 'bind' LDAP and Kerberos using the userPassword attribute like so (using Cyrus SASL):
userPassword: {SASL}[KERBEROS_PRINCIPAL]
- Can I migrate users piecemeal, eg remove their LDAP psswords one
by one and (possibly tweaking something on the LDAP directory) have those users auth through to kerberos, while other users auth to the LDAP directory, until everyone is moved?
That I actually learned myself last week :). Apparently you can have multiple userPassword attributes! :)
SHAMELESS PLUG: Have a look at http://www.bayour.com/LDAPv3-HOWTO.html. It's getting a little old now, but much of it is still relevant..
DISCLAIMER: Some of the hardcore LDAP admins/coders dislike some of my recommendations (rightfully), but I'm only trying to make a point :)
On 26/09/11 09:56, turbo@bayour.com wrote:
On Mon, 26 Sep 2011 09:05:31 +0100, Tim Watts wrote:
- Once LDAP is backended with kerberos
I haven't been paying attention the last couple of years, but this used to be a bad idea (primarily because it's easy to get auth loops ?).
In either case, you can 'bind' LDAP and Kerberos using the userPassword attribute like so (using Cyrus SASL):
userPassword: {SASL}[KERBEROS_PRINCIPAL]
- Can I migrate users piecemeal, eg remove their LDAP psswords one
by one and (possibly tweaking something on the LDAP directory) have those users auth through to kerberos, while other users auth to the LDAP directory, until everyone is moved?
That I actually learned myself last week :). Apparently you can have multiple userPassword attributes! :)
SHAMELESS PLUG: Have a look at http://www.bayour.com/LDAPv3-HOWTO.html. It's getting a little old now, but much of it is still relevant..
DISCLAIMER: Some of the hardcore LDAP admins/coders dislike some of my recommendations (rightfully), but I'm only trying to make a point :)
Hiya
Thanks - I will have a read of that link - and thanks for the tip about multiple userPassword attributes
Cheers
Tim
On 26/09/11 09:56, turbo@bayour.com wrote:
On Mon, 26 Sep 2011 09:05:31 +0100, Tim Watts wrote:
- Once LDAP is backended with kerberos
I haven't been paying attention the last couple of years, but this used to be a bad idea (primarily because it's easy to get auth loops ?).
In either case, you can 'bind' LDAP and Kerberos using the userPassword attribute like so (using Cyrus SASL):
userPassword: {SASL}[KERBEROS_PRINCIPAL]
- Can I migrate users piecemeal, eg remove their LDAP psswords one
by one and (possibly tweaking something on the LDAP directory) have those users auth through to kerberos, while other users auth to the LDAP directory, until everyone is moved?
That I actually learned myself last week :). Apparently you can have multiple userPassword attributes! :)
SHAMELESS PLUG: Have a look at http://www.bayour.com/LDAPv3-HOWTO.html. It's getting a little old now, but much of it is still relevant..
DISCLAIMER: Some of the hardcore LDAP admins/coders dislike some of my recommendations (rightfully), but I'm only trying to make a point :)
Hiya
Thanks - I will have a read of that link - and thanks for the tip about multiple userPassword attributes
Cheers
Tim
openldap-technical@openldap.org
-
Tim Watts -
turbo@bayour.com