I am using openldap proxy today with ldap backend.
Any suggestions on how to use kerberos as the backend?
Here is my config (sanitized)
$ cat slapd.conf ### Schema includes ########################################################### include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema
## Module paths ############################################################## modulepath /usr/lib64/openldap/ moduleload back_ldap
# Main settings ############################################################### pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args sizelimit unlimited
TLSCertificateFile /root/data/certs/ldap.crt TLSCertificateKeyFile /root/data/certs/ldap.key
### Database definition (Proxy to AD) ######################################### database ldap readonly yes protocol-version 3 rebind-as-user yes uri "ldaps://ldap.example.com:1636" suffix "ou=People,dc=example,dc=net" ### Logging ################################################################### loglevel 0
On 01/07/19 16:18 -0500, vadud3@gmail.com wrote:
I am using openldap proxy today with ldap backend.
Any suggestions on how to use kerberos as the backend?
Here is my config (sanitized)
$ cat slapd.conf
### Database definition (Proxy to AD) ######################################### database ldap readonly yes protocol-version 3 rebind-as-user yes uri "ldaps://ldap.example.com:1636" suffix "ou=People,dc=example,dc=net"
I'm not clear on where kerberos authentication fits scenario, but the two pieces of documentation to start with would be the slapo-ldap manpage, and the OpenLDAP Software 2.4 Administrator's Guide, section 14.5, and chapter 15.
If that doesn't adress your question, please provide more detail, including how your clients authenticate with the proxy server.
On Mon, Jan 7, 2019 at 5:53 PM Dan White dwhite@cafedemocracy.org wrote:
On 01/07/19 16:18 -0500, vadud3@gmail.com wrote:
I am using openldap proxy today with ldap backend.
Any suggestions on how to use kerberos as the backend?
Here is my config (sanitized)
$ cat slapd.conf
### Database definition (Proxy to AD)
#########################################
database ldap readonly yes protocol-version 3 rebind-as-user yes uri "ldaps://ldap.example.com:1636" suffix "ou=People,dc=example,dc=net"
I'm not clear on where kerberos authentication fits scenario, but the two pieces of documentation to start with would be the slapo-ldap manpage, and the OpenLDAP Software 2.4 Administrator's Guide, section 14.5, and chapter 15.
If that doesn't adress your question, please provide more detail, including how your clients authenticate with the proxy server.
I do not see any slapo-ldap in my search for man page in openldap site http://www.openldap.org/software/man.cgi?query=slapo*&sektion=0&manp...
So on my client I like to point to kerberos proxy for authentication.
Today I am using ldap proxy with -H ldaps://127.0.0.1 and it works fine like below
ldapsearch -LLL -x -y ~/.ldap-pass -H ldaps://127.0.0.1 uid=foo
And under sssd ldap auth works fine like below
auth_provider = ldap ldap_uri = ldaps://127.0.0.1
I want to start using kerberos setting like below and start using kerberos for authentication
auth_provider = krb5 krb5_server = 127.0.0.1:88
But I do not have anything running on port 88
May be I am not understanding how to implement kerberos proxy.
Appreciate any help.
--On Monday, January 07, 2019 6:39 PM -0500 vadud3@gmail.com wrote:
I do not see any slapo-ldap in my search for man page in openldap site http://www.openldap.org/software/man.cgi?query=slapo*&sektion=0&manp... penLDAP+2.4-Release&apropos=1&format=html
It is slapd-ldap, not slapo-ldap.
I want to start using kerberos setting like below and start using kerberos for authentication
May be I am not understanding how to implement kerberos proxy.
Kerberos is its own protocol and set of software. The two primary FOSS distributions of Kerberos are MIT and Heimdal.
You can use LDAP to store the Kerberos Database, and you can use Kerberos tickets to authenticate to LDAP (SASL/GSSAPI), but you cannot use LDAP as an in-between proxy to Kerberos, as they are entirely different protocols.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On Mon, Jan 07, 2019 at 04:18:36PM -0500, vadud3@gmail.com wrote:
I am using openldap proxy today with ldap backend.
Any suggestions on how to use kerberos as the backend?
Kerberos only has infomation necessary for authentication; like principals and policies. LDAP stores much more, such as group memberships, numerical uids, home directories, etc. So normally people use both LDAP and Kerberos, not Kerberos alone. There are 3 ways that Kerberos and LDAP can work together:
1, LDAP can use Kerberos to authenicate (bind) access 2, LDAP can forward authentication request to kerberos via SASL 3, Kerberos can use LDAP as a database backend
In my organization we are using 1 and 2, but not 3. I think Microsoft AD also does something similiar under the hood.
Am Mon, 7 Jan 2019 16:18:36 -0500 schrieb vadud3@gmail.com:
I am using openldap proxy today with ldap backend.
Any suggestions on how to use kerberos as the backend?
[...]
Put it the other way round, use slapd as database backend to kerberos. https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
-Dieter
On Tue, Jan 8, 2019 at 3:27 AM Dieter Klünter dieter@dkluenter.de wrote:
Am Mon, 7 Jan 2019 16:18:36 -0500 schrieb vadud3@gmail.com:
I am using openldap proxy today with ldap backend.
Any suggestions on how to use kerberos as the backend?
[...]
Put it the other way round, use slapd as database backend to kerberos. https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
OK, may be then what I am really looking for is a kerberos proxy.
All my servers today sending ldap auth request to this ldap proxy and we want to switch to kerberos auth instead.
-Dieter
Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Am Tue, 8 Jan 2019 15:15:39 -0500 schrieb vadud3@gmail.com:
On Tue, Jan 8, 2019 at 3:27 AM Dieter Klünter dieter@dkluenter.de wrote:
Am Mon, 7 Jan 2019 16:18:36 -0500 schrieb vadud3@gmail.com:
I am using openldap proxy today with ldap backend.
Any suggestions on how to use kerberos as the backend?
[...]
Put it the other way round, use slapd as database backend to kerberos. https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
OK, may be then what I am really looking for is a kerberos proxy.
All my servers today sending ldap auth request to this ldap proxy and we want to switch to kerberos auth instead.
[...]
You may try to configure a passthrough authentication, using saslauthd. There are some configuration examples online. Note that this requires slapd to be compiled with '--enable-spasswd'
-Dieter
openldap-technical@openldap.org
-
Dan White -
Derek Zhou -
Dieter Klünter -
Quanah Gibson-Mount -
vadud3@gmail.com