KDC with openldap backend, ldap replication, can it chase referrals?

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

KDC with openldap backend, ldap replication, can it chase referrals?

Andreas Hasenack-2
Hi,

Can mit kerberos (1.17 for the purpose of this conversation) using the
openldap backend (kldap) chase ldap referrals when it tries to write
to an openldap replica, which is read-only?

In other words, can I list both the openldap primary and its read-only
replica in krb5.conf's ldap_servers parameter?
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: KDC with openldap backend, ldap replication, can it chase referrals?

Greg Hudson
On 4/14/20 3:34 PM, Andreas Hasenack wrote:> Can mit kerberos (1.17 for
the purpose of this conversation) using the
> openldap backend (kldap) chase ldap referrals when it tries to write
> to an openldap replica, which is read-only?
>
> In other words, can I list both the openldap primary and its read-only
> replica in krb5.conf's ldap_servers parameter?

I don't believe we support this.  This came up a number of years ago:

https://krbdev.mit.edu/rt/Ticket/Display.html?id=7754

and we haven't written the callback code to do a non-anonymous bind when
chasing a referral.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: KDC with openldap backend, ldap replication, can it chase referrals?

Andreas Hasenack-2
Hello,

On Wed, Apr 15, 2020 at 1:54 AM Greg Hudson <[hidden email]> wrote:

>
> On 4/14/20 3:34 PM, Andreas Hasenack wrote:> Can mit kerberos (1.17 for
> the purpose of this conversation) using the
> > openldap backend (kldap) chase ldap referrals when it tries to write
> > to an openldap replica, which is read-only?
> >
> > In other words, can I list both the openldap primary and its read-only
> > replica in krb5.conf's ldap_servers parameter?
>
> I don't believe we support this.  This came up a number of years ago:
>
> https://krbdev.mit.edu/rt/Ticket/Display.html?id=7754

Thanks for the pointer!

Cheers
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: KDC with openldap backend, ldap replication, can it chase referrals?

Dan Mahoney (Gushi)
On Wed, 15 Apr 2020, Andreas Hasenack wrote:

> Hello,
>
> On Wed, Apr 15, 2020 at 1:54 AM Greg Hudson <[hidden email]> wrote:
>>
>> On 4/14/20 3:34 PM, Andreas Hasenack wrote:> Can mit kerberos (1.17 for
>> the purpose of this conversation) using the
>>> openldap backend (kldap) chase ldap referrals when it tries to write
>>> to an openldap replica, which is read-only?
>>>
>>> In other words, can I list both the openldap primary and its read-only
>>> replica in krb5.conf's ldap_servers parameter?
>>
>> I don't believe we support this.  This came up a number of years ago:
>>
>> https://krbdev.mit.edu/rt/Ticket/Display.html?id=7754

I may have asked this in the past, but I'll ask it again since LDAP came
up.  We have an existing Kerberos domain, but we don't use LDAP at all (we
just use puppet to handle things like user creation on servers.

Specifically, we don't do active directory for any client workstations and
don't run windows in general -- our users own their own machines, so
there's no tie-in.  It's hundreds of servers, probably ~30 users.

I see a way to do kerberos with an LDAP backend, but not the opposite.
I'd like to "Add" openLDAP to my existing KDC, or deploy openLDAP but have
it use the KDB for authentication.  (Where openLDAP would continue to do
"authorization", but some machines would be kerberos-only and have no
dependence on any LDAP systems).  I don't want to have to re-key hundreds
of systems.

Is this possible in any way?

Failing that, is it possible to dump my KDC and import it into an openLDAP
system?  (If it is, I've found no documentation on this).

-Dan

--


--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
FB:  fb.com/DanielMahoneyIV
LI:   linkedin.com/in/gushi
Site:  http://www.gushi.org
---------------------------

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: KDC with openldap backend, ldap replication, can it chase referrals?

Andreas Hasenack-2
Hello,

On Wed, Apr 15, 2020 at 12:23 PM Dan Mahoney (Gushi)
<[hidden email]> wrote:

> I may have asked this in the past, but I'll ask it again since LDAP came
> up.  We have an existing Kerberos domain, but we don't use LDAP at all (we
> just use puppet to handle things like user creation on servers.
>
> Specifically, we don't do active directory for any client workstations and
> don't run windows in general -- our users own their own machines, so
> there's no tie-in.  It's hundreds of servers, probably ~30 users.
>
> I see a way to do kerberos with an LDAP backend, but not the opposite.
> I'd like to "Add" openLDAP to my existing KDC, or deploy openLDAP but have
> it use the KDB for authentication.  (Where openLDAP would continue to do
> "authorization", but some machines would be kerberos-only and have no
> dependence on any LDAP systems).  I don't want to have to re-key hundreds
> of systems.

Sorry, I don't understand what you mean by "add openldap to existing
kdc". You can add the openldap service to your kerberos realm and have
your users authenticate against your openldap server using kerberos,
just like any other kerberized service.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: KDC with openldap backend, ldap replication, can it chase referrals?

Pallissard, Matthew
In reply to this post by Dan Mahoney (Gushi)

On 2020-04-15T08:22:59 -0700, Dan Mahoney (Gushi) wrote:

> On Wed, 15 Apr 2020, Andreas Hasenack wrote:
>
> > Hello,
> >
> > On Wed, Apr 15, 2020 at 1:54 AM Greg Hudson <[hidden email]> wrote:
> >>
> >> On 4/14/20 3:34 PM, Andreas Hasenack wrote:> Can mit kerberos (1.17 for
> >> the purpose of this conversation) using the
> >>> openldap backend (kldap) chase ldap referrals when it tries to write
> >>> to an openldap replica, which is read-only?
> >>>
> >>> In other words, can I list both the openldap primary and its read-only
> >>> replica in krb5.conf's ldap_servers parameter?
> >>
> >> I don't believe we support this.  This came up a number of years ago:
> >>
> >> https://krbdev.mit.edu/rt/Ticket/Display.html?id=7754
>
> I may have asked this in the past, but I'll ask it again since LDAP came
> up.  We have an existing Kerberos domain, but we don't use LDAP at all (we
> just use puppet to handle things like user creation on servers.
>
> Specifically, we don't do active directory for any client workstations and
> don't run windows in general -- our users own their own machines, so
> there's no tie-in.  It's hundreds of servers, probably ~30 users.
>
> I see a way to do kerberos with an LDAP backend, but not the opposite.
> I'd like to "Add" openLDAP to my existing KDC, or deploy openLDAP but have
> it use the KDB for authentication.  (Where openLDAP would continue to do
> "authorization", but some machines would be kerberos-only and have no
> dependence on any LDAP systems).  I don't want to have to re-key hundreds
> of systems.
Yep, this is now more of an openldap than an MIT question so we're getting off-topic.  That aside krb authn w/ ldap authz  is a common pattern.  SASL auth is probably you're looking for.

https://www.openldap.org/doc/admin24/sasl.html

You can either hand openldap a keytab and have it speak gssapi and/or set the user password field to the sasl backend and have it do the ldap->krb translation.

If you have more questions there is an openldap mailing list.   I'd recommend doing your homework, then taking this conversation over there.  There is also a pretty lively IRC channel.


Matt Pallissard

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

signature.asc (235 bytes) Download Attachment