all,
please excuse my ignorance, as i am still learning. i have started working with mit kerberos 5 and openldap. i have the krb5 database in ldap, have several principals created, can can authenticate using kerberos. what i would like to accomplish is authorization based on group membership. i am unclear on how to do this, and if this requires the use of SASL (via the cyrus-sasl packages). am i able to create a groupofnames object, populated with kerberos principals and accomplish authorization by checking for membership of that groupofnames? the scenario is mod_auth_kerb implemented in httpd, or access control via acl in squid. based on group membership, certain functionality or access would be given to authenticated users. i have read and re-read the guide included with openldap, but am still unclear about what is needed. Below is some info about versions, etc... thank you in advance for any guidance.
OS: Fedora: 16 x86_64 OpenLDAP: 2.4.26-8 MIT Kerberos: 1.9.4-3 Cyrus SASL: 2.1.23-27
thank you,
brendan
On 03/15/13 21:26 -0400, brendan kearney wrote:
please excuse my ignorance, as i am still learning. i have started working with mit kerberos 5 and openldap. i have the krb5 database in ldap, have several principals created, can can authenticate using kerberos. what i would like to accomplish is authorization based on group membership. i am unclear on how to do this, and if this requires the use of SASL (via the cyrus-sasl packages). am i able to create a groupofnames object, populated with kerberos principals and accomplish authorization by checking for membership of that groupofnames? the scenario is mod_auth_kerb implemented in httpd, or access control via acl in squid. based on group membership, certain functionality or access would be given to authenticated users. i have read and re-read the guide included with openldap, but am still unclear about what is needed. Below is some info about versions, etc... thank you in advance for any guidance.
In my experience, authorization is not a standardized concept, even among servers that support sasl, ldap, and/or kerberos authentication.
In general, approaches which are most likely to bear fruit:
unix group membership =====================
Install an ldap nss module on the server, and add objectClass posixGroup to your group entries. Specify "member: <user_id>" for each member of the group. Find out if a given server (such as squid) supports such authorization, either by way of a getgrent system call (such as with openssh), or via some pam group module during authentication.
RADIUS (freeradius ldap backend) ================================
If the server supports radius authentication, then you have flexibility in granting authentication based on an ldap attribute or ldap group membership, by way of it's ldap backend module.
pam ldap module ===============
If the server supports pam authentication, then use an ldap pam module (nssov, pam-nss-ldapd, or pam_ldap) to grant authentication based based on an ldap attribute or ldap group membership.
I'm not aware of a way to grant authorization solely by using kerberos.
in my reading of the admin guide (section 15.2.5 - .7), mapping of a "username" to a DN is a common configuration, and allows for other functionality. i am trying to use the below Authz RegExp to do the mapping:
olcAuthzRegexp: {0}uid=([^,]+),cn=bpk2.com,cn=gssapi,cn=auth uid=$1,ou=Users,dc=bpk2,dc=com
i am no regex guru, so i dont know if the above is appropriate. if i compare the above to the admin guide, i notice that mine is uid=([^,]+), whereas the docs show uid=([^,]*). the + vs. the * might be an issue. can that be confirmed?
On Sat, Mar 16, 2013 at 2:27 PM, Dan White dwhite@olp.net wrote:
In my experience, authorization is not a standardized concept, even among servers that support sasl, ldap, and/or kerberos authentication.
In general, approaches which are most likely to bear fruit:
unix group membership
Install an ldap nss module on the server, and add objectClass posixGroup to your group entries. Specify "member: <user_id>" for each member of the group. Find out if a given server (such as squid) supports such authorization, either by way of a getgrent system call (such as with openssh), or via some pam group module during authentication.
RADIUS (freeradius ldap backend) ==============================**==
If the server supports radius authentication, then you have flexibility in granting authentication based on an ldap attribute or ldap group membership, by way of it's ldap backend module.
pam ldap module
If the server supports pam authentication, then use an ldap pam module (nssov, pam-nss-ldapd, or pam_ldap) to grant authentication based based on an ldap attribute or ldap group membership.
I'm not aware of a way to grant authorization solely by using kerberos.
-- Dan White
openldap-technical@openldap.org
-
brendan kearney -
Dan White