Integration between Heimdal and third part auth provider like Google?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Integration between Heimdal and third part auth provider like Google?

Yoann Gini
Hello

I’m wondering if there is a way to use Heimdal and a potential plugin to maintain a third part auth database like Google Apps?

I mainly use two kind of setups: OpenDirectory from OS X Server and customer LDAP/Kerberos setup on FreeBSD.

In both scenarios I’ve a LDAP backend for Heimdal and Heimdal as auth backend for LDAP.

So when the user change the password via LDAP, SASL or anything else, the only common components is Heimdal.

And my goal is to find a way to replicate the password change to a third part service who can’t be integrated to the Kerberos realm.

I’m open to any suggestion :-)

Cheers,
Yoann
Reply | Threaded
Open this post in threaded view
|

Re: Integration between Heimdal and third part auth provider like Google?

Russ Allbery-2
Yoann Gini <[hidden email]> writes:

> And my goal is to find a way to replicate the password change to a third
> part service who can’t be integrated to the Kerberos realm.

You can do this by hooking into the password strength check.  It gets a
copy of all passwords changed as part of a regular password change (not a
key randomization), and while it's supposed to just check the strength of
the password, it can actually do anything it wants as long as it returns
success.  So you can use that check binary to write the password to a
third-party service and then return success.

There's also the approach that I took in krb5-sync, which patches Heimdal
to add hooks inside the libkadm5srv library, if you really want:

    https://www.eyrie.org/~eagle/software/krb5-sync/

But I've become convinced that's the wrong design and a design based on
the password strength plugin API is the right way to do this.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
Reply | Threaded
Open this post in threaded view
|

Re: Integration between Heimdal and third part auth provider like Google?

Yoann Gini
Hi Russ

> Le 11 avr. 2016 à 19:23, Russ Allbery <[hidden email]> a écrit :
>
> You can do this by hooking into the password strength check.  It gets a
> copy of all passwords changed as part of a regular password change (not a
> key randomization), and while it's supposed to just check the strength of
> the password, it can actually do anything it wants as long as it returns
> success.  So you can use that check binary to write the password to a
> third-party service and then return success.

Thanks for your answer, this look like the way to go indeed.

I’m trying to play with it but for unknown reason my settings seems to not be used by the KDC.

Do you have a troubleshooting recommendations related to external-check feature?

I’m looking for a way to request live kdc service to show me its actual configuration, to see if it has correctly taken the modification, and also for debug logs eventually.

Best regards
Yoann Gini