OpenLDAP and Keberos 5 - How to

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

OpenLDAP and Keberos 5 - How to

Nguyen, Quoc Khanh


 HI all,

 I'm a new comer, I used to install a mail system (openldap,
cyrus-sasl, cyrus-imap, postfix) without Kerberos, and it worked fine.

 I
have general study about MIT Keberos and feel it really impression to me
that the way it works for security. Also, i have read at OpenLDAP's home
page that the OpenLDAP server have to use of strong authentication
services, such as these provided by Kerberos, is highly recommended.

 Now
i just want to configure and install Keberos 5 for OpenLDAP system only. So
i have read a lot of document about keberos, and feel that they didn't met
my requirement.

 I... I don't know how to begin with it.

 Please
help....

 Best Regards,

--
***********************************

EVERYTHING HAS JUST BEGUN...
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: OpenLDAP and Keberos 5 - How to

Brian Candler
On Mon, Apr 18, 2011 at 02:58:29PM +0700, Nguyen, Quoc Khanh wrote:
> i just want to configure and install Keberos 5 for OpenLDAP system only. So
> i have read a lot of document about keberos, and feel that they didn't met
> my requirement.
>
>  I... I don't know how to begin with it.

Here are some presentations I did earlier in the year:
https://nsrc.org/workshops/2011/sanog17/raw-attachment/wiki/Agenda/kerberos1.pdf
https://nsrc.org/workshops/2011/sanog17/raw-attachment/wiki/Agenda/kerberos2.pdf
https://nsrc.org/workshops/2011/sanog17/raw-attachment/wiki/Agenda/kerberos3.pdf

And the exercises that went with them:
https://nsrc.org/workshops/ws-files/2011/sanog17/exercises/ex1-kerberos-client.html
https://nsrc.org/workshops/ws-files/2011/sanog17/exercises/ex2-kerberos-host.html
https://nsrc.org/workshops/ws-files/2011/sanog17/exercises/ex3-kerberos-kdc.html
https://nsrc.org/workshops/ws-files/2011/sanog17/exercises/ex4-ldap-server.html
https://nsrc.org/workshops/ws-files/2011/sanog17/exercises/ex999-lab-setup.html

The presentations are very much in note form - they are not supposed to
eliminate the need for a presenter to explain what's going on. However the
lab setup includes building a KDC plus and OpenLDAP server which requires
clients to use Kerberos authentication. You may be able to extract some
useful hints from it. This is all tested using Ubuntu 10.04 LTS.

In summary I'd say:
- build your Kerberos KDC (if you don't already have one)
- get to the point where 'kinit' works
- build your OpenLDAP server and configure it for GSSAPI authentication
- use the ldapsearch command line with -Y GSSAPI to test it

HTH,

Brian.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: OpenLDAP and Keberos 5 - How to

Zhanna Tsitkova
In reply to this post by Nguyen, Quoc Khanh
You might want to look at http://web.mit.edu/tsitkova/www/build/cookbook/advanced/ldapbackend.html
________________________________________
From: [hidden email] [[hidden email]] On Behalf Of Nguyen, Quoc Khanh [[hidden email]]
Sent: Monday, April 18, 2011 3:58 AM
To: [hidden email]
Subject: OpenLDAP and Keberos 5 - How to

 HI all,

 I'm a new comer, I used to install a mail system (openldap,
cyrus-sasl, cyrus-imap, postfix) without Kerberos, and it worked fine.

 I
have general study about MIT Keberos and feel it really impression to me
that the way it works for security. Also, i have read at OpenLDAP's home
page that the OpenLDAP server have to use of strong authentication
services, such as these provided by Kerberos, is highly recommended.

 Now
i just want to configure and install Keberos 5 for OpenLDAP system only. So
i have read a lot of document about keberos, and feel that they didn't met
my requirement.

 I... I don't know how to begin with it.

 Please
help....

 Best Regards,

--
***********************************

EVERYTHING HAS JUST BEGUN...
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: OpenLDAP and Keberos 5 - How to

Nguyen, Quoc Khanh
In reply to this post by Brian Candler

Oh... It's a useful document for me. Thanks a lot about your information,
i'm studying clearly about it.

Thank you very much...

khanhnq,
--
***********************************
    EVERYTHING HAS JUST BEGUN...

On Mon, 18 Apr 2011 17:23:00 +0100, Brian Candler <[hidden email]>
wrote:
> On Mon, Apr 18, 2011 at 02:58:29PM +0700, Nguyen, Quoc Khanh wrote:
>> i just want to configure and install Keberos 5 for OpenLDAP system
only.
>> So
>> i have read a lot of document about keberos, and feel that they didn't
>> met
>> my requirement.
>>
>>  I... I don't know how to begin with it.
>
> Here are some presentations I did earlier in the year:
>
https://nsrc.org/workshops/2011/sanog17/raw-attachment/wiki/Agenda/kerberos1.pdf
>
https://nsrc.org/workshops/2011/sanog17/raw-attachment/wiki/Agenda/kerberos2.pdf
>
https://nsrc.org/workshops/2011/sanog17/raw-attachment/wiki/Agenda/kerberos3.pdf
>
> And the exercises that went with them:
>
https://nsrc.org/workshops/ws-files/2011/sanog17/exercises/ex1-kerberos-client.html
>
https://nsrc.org/workshops/ws-files/2011/sanog17/exercises/ex2-kerberos-host.html
>
https://nsrc.org/workshops/ws-files/2011/sanog17/exercises/ex3-kerberos-kdc.html
>
https://nsrc.org/workshops/ws-files/2011/sanog17/exercises/ex4-ldap-server.html
>
https://nsrc.org/workshops/ws-files/2011/sanog17/exercises/ex999-lab-setup.html
>
> The presentations are very much in note form - they are not supposed to
> eliminate the need for a presenter to explain what's going on. However
the
> lab setup includes building a KDC plus and OpenLDAP server which
requires

> clients to use Kerberos authentication. You may be able to extract some
> useful hints from it. This is all tested using Ubuntu 10.04 LTS.
>
> In summary I'd say:
> - build your Kerberos KDC (if you don't already have one)
> - get to the point where 'kinit' works
> - build your OpenLDAP server and configure it for GSSAPI authentication
> - use the ldapsearch command line with -Y GSSAPI to test it
>
> HTH,
>
> Brian.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos