is that common to use kerberos authentication for SUN iplanet LDAP server?

classic Classic list List threaded Threaded
17 messages Options
Reply | Threaded
Open this post in threaded view
|

is that common to use kerberos authentication for SUN iplanet LDAP server?

Kent Wu
Hi guys,

Does anyone have experience on this to share?
I've set up a SUN LDAP server and it's running fine by
using simple authentication so far. Of course I want to
make it more secure (to protect the password while binding
to LDAP server) so I'm thinking either MD5-Digest or Kerberos.
However looks like SUN LDAP itself doesn't have kerberos
abilities and I have to install SEAM (Sun Enterprise Authentication
Mechanism) separately to enable Kerberos.....

   So I was thinking that if I can easily configure SUN LDAP to
use MD5-digest then that should be the easiest however it seems
that I have to store the password as plain-text in LDAP
server to enable MD5-digest and I don't want to do that (Let
me know if there are other easier ways to enable MD5-digest).

   So my question is that is it pretty easy to enable Kerberos
for SUN LDAP after installing SEAM? Or can SUN LDAP use other
KDC as well?

Thanks a lot in advance !

P.S, I know LDAPS (LDAP over SSL) can easily achieve my goal
however I kinda think it's an overkill since I don't really
need to protect all the LDAP transactions except for the
password part...

-Kent
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: is that common to use kerberos authentication for SUN iplanet LDAP server?

Craig Huckabee
Kent Wu wrote:
>
>    So my question is that is it pretty easy to enable Kerberos
> for SUN LDAP after installing SEAM? Or can SUN LDAP use other
> KDC as well?
>

   We use Sun's LDAP server with PADL's GSSAPI plugin - we built our
copy against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary
versions they sold previously also use MIT Kerberos.

   We now have several processes that regularly use only GSSAPI/SASL
over SSL to authenticate and communicate with LDAP.  Works very well.

HTH,
Craig

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: is that common to use kerberos authentication for SUN iplanet LDAP server?

Thomas A. La Porte
We, too, are very satisfied customers who use PADL's GSSAPI
plugin. We've had no problems with the implementation and
integration, and support from Luke is outstanding.

We built our copy against MIT Kerberos 1.2.x and use MIT KDCs.
All of our administrative tools interact with the directory using
GSSAPI/SASL.

  -- Tom

Thomas A. La Porte, DreamWorks Animation
<mailto:[hidden email]>

On Thu, 1 Sep 2005, Craig Huckabee wrote:

> Kent Wu wrote:
>>
>>    So my question is that is it pretty easy to enable Kerberos for SUN LDAP
>> after installing SEAM? Or can SUN LDAP use other KDC as well?
>
>  We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy
> against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary versions they
> sold previously also use MIT Kerberos.
>
>  We now have several processes that regularly use only GSSAPI/SASL over SSL
> to authenticate and communicate with LDAP.  Works very well.
>
> HTH,
> Craig
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: is that common to use kerberos authentication for SUN iplanet LDAP server?

Wachdorf, Daniel R
In reply to this post by Kent Wu
You can use Sun's Directory server with non Sun kdc, you just have to
have SEAM (Sun's Kerberos) setup on the director server (ie - it needs
the client libs).  If you have an install on Solaris 9 or 10 I don't
even then you need to install anything - the Kerberos libs are already
there.  (You will have to run the directory server on a Solaris box).
See http://docs.sun.com/source/817-7613/ssl.html

-dan

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Kent Wu
Sent: Wednesday, August 31, 2005 3:29 PM
To: [hidden email]
Subject: is that common to use kerberos authentication for SUN iplanet
LDAP server?

Hi guys,

Does anyone have experience on this to share?
I've set up a SUN LDAP server and it's running fine by
using simple authentication so far. Of course I want to
make it more secure (to protect the password while binding
to LDAP server) so I'm thinking either MD5-Digest or Kerberos.
However looks like SUN LDAP itself doesn't have kerberos
abilities and I have to install SEAM (Sun Enterprise Authentication
Mechanism) separately to enable Kerberos.....

   So I was thinking that if I can easily configure SUN LDAP to
use MD5-digest then that should be the easiest however it seems
that I have to store the password as plain-text in LDAP
server to enable MD5-digest and I don't want to do that (Let
me know if there are other easier ways to enable MD5-digest).

   So my question is that is it pretty easy to enable Kerberos
for SUN LDAP after installing SEAM? Or can SUN LDAP use other
KDC as well?

Thanks a lot in advance !

P.S, I know LDAPS (LDAP over SSL) can easily achieve my goal
however I kinda think it's an overkill since I don't really
need to protect all the LDAP transactions except for the
password part...

-Kent
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: is that common to use kerberos authentication for SUN iplanet LDAP server?

Wyllys Ingersoll
In reply to this post by Thomas A. La Porte
Thomas A. La Porte wrote:

>  We, too, are very satisfied customers who use PADL's GSSAPI plugin.
>  We've had no problems with the implementation and integration, and
>  support from Luke is outstanding.
>
>  We built our copy against MIT Kerberos 1.2.x and use MIT KDCs. All of
>  our administrative tools interact with the directory using
>  GSSAPI/SASL.


If all you need is GSSAPI, then it should also compile against the
native Solaris GSSAPI
libraries as well.

In  Solaris 10, all of Kerberos is already bundled, along with GSSAPI,
SASL, and SPNEGO
support which obsoletes the need to maintain alot of 3rd party packages.

-Wyllys


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: is that common to use kerberos authentication for SUN iplanet LDAP server?

Thomas A. La Porte
On Thu, 1 Sep 2005, Wyllys Ingersoll wrote:

> If all you need is GSSAPI, then it should also compile against the native
> Solaris GSSAPI
> libraries as well.
>
> In  Solaris 10, all of Kerberos is already bundled, along with GSSAPI, SASL,
> and SPNEGO
> support which obsoletes the need to maintain alot of 3rd party packages.
>
> -Wyllys


Sorry, I failed to mention that we are running the SunOne/iPlanet
server on a RedHat Linux server, which I don't believe provides
that capability.

  -- Tom

Thomas A. La Porte, DreamWorks SKG
<mailto:[hidden email]>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: is that common to use kerberos authentication for SUN iplanet LDAP server?

Markus Moeller
In reply to this post by Craig Huckabee
Craig,

you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption
too. What was the reason not to use SASL/GSSAPI with encryption. And example
is AD, which can be accessed via SASL/GSSAPI with encryption.

Thanks
Markus

"Craig Huckabee" <[hidden email]> wrote in message
news:[hidden email]...

> Kent Wu wrote:
>>
>>    So my question is that is it pretty easy to enable Kerberos for SUN
>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>
>   We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy
> against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary versions
> they sold previously also use MIT Kerberos.
>
>   We now have several processes that regularly use only GSSAPI/SASL over
> SSL to authenticate and communicate with LDAP.  Works very well.
>
> HTH,
> Craig
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: is that common to use kerberos authentication for SUN iplanet LDAP server?

Wachdorf, Daniel R
In reply to this post by Craig Huckabee
Whether a directory can do SASL/GSSAPI data privacy and/or integrity is
directory server specific.  Some directories (AD) support privacy and/or
integrity protection.  Others (Sun) don't, so you must use SSL.

One other thing to be aware of is that clients and downgrade the privacy
and integrity protection.  If clients can do downgrade the data
protection, it makes me wonder if an attacker can downgrade the session.
I haven't looked into it enough.

-dan

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Markus Moeller
Sent: Thursday, September 01, 2005 1:24 PM
To: [hidden email]
Subject: Re: is that common to use kerberos authentication for SUN
iplanet LDAP server?

Craig,

you say you use SASL + SSL. As far as I know SASL/GSSAPI can do
encryption
too. What was the reason not to use SASL/GSSAPI with encryption. And
example
is AD, which can be accessed via SASL/GSSAPI with encryption.

Thanks
Markus

"Craig Huckabee" <[hidden email]> wrote in message
news:[hidden email]...
> Kent Wu wrote:
>>
>>    So my question is that is it pretty easy to enable Kerberos for
SUN
>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>
>   We use Sun's LDAP server with PADL's GSSAPI plugin - we built our
copy
> against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary
versions
> they sold previously also use MIT Kerberos.
>
>   We now have several processes that regularly use only GSSAPI/SASL
over
> SSL to authenticate and communicate with LDAP.  Works very well.
>
> HTH,
> Craig
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: is that common to use kerberos authentication for SUN iplanet LDAP server?

Craig Huckabee
In reply to this post by Markus Moeller
Markus,

   Two reasons:

   1)  We are working towards turning off non-SSL access to our Sun LDAP
servers.

   2)  We ran into problems when talking to AD using Perl-LDAP/SASL
without SSL.  IIRC, we couldn't do a password change over a non-SSL port
- AD spit back an error.  Doing everything over SSL cleared up the problems.

But, yes, in most cases we could just use one or the other.

--Craig


Markus Moeller wrote:

> Craig,
>
> you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption
> too. What was the reason not to use SASL/GSSAPI with encryption. And example
> is AD, which can be accessed via SASL/GSSAPI with encryption.
>
> Thanks
> Markus
>
> "Craig Huckabee" <[hidden email]> wrote in message
> news:[hidden email]...
>
>>Kent Wu wrote:
>>
>>>   So my question is that is it pretty easy to enable Kerberos for SUN
>>>LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>>
>>  We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy
>>against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary versions
>>they sold previously also use MIT Kerberos.
>>
>>  We now have several processes that regularly use only GSSAPI/SASL over
>>SSL to authenticate and communicate with LDAP.  Works very well.
>>
>>HTH,
>>Craig
>>
>>________________________________________________
>>Kerberos mailing list           [hidden email]
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: is that common to use kerberos authentication for SUN iplanet LDAP server?

Craig Huckabee
In reply to this post by Wyllys Ingersoll
Wyllys Ingersoll wrote:

>
> If all you need is GSSAPI, then it should also compile against the
> native Solaris GSSAPI libraries as well.

I did that under Solaris 9, but we ran into problems.  I would have to
look at my notes for the exact problem, and this was over a year ago.

Have not tried a build under 10 yet...

--Craig

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: is that common to use kerberos authentication for SUN iplanet LDAP server?

Kent Wu
In reply to this post by Markus Moeller
Markus,

   I know SASL/GSSAPI can do encryption according to the document
however I tried a while back to enable the encryption against AD while
doing kerberos authentication in my C program but failed. Did you really
enable the encryption successfully in the program? If so then I must
have missing something then....

Thanks.

-Kent

On Thu, 2005-09-01 at 20:24 +0100, Markus Moeller wrote:

> Craig,
>
> you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption
> too. What was the reason not to use SASL/GSSAPI with encryption. And example
> is AD, which can be accessed via SASL/GSSAPI with encryption.
>
> Thanks
> Markus
>
> "Craig Huckabee" <[hidden email]> wrote in message
> news:[hidden email]...
> > Kent Wu wrote:
> >>
> >>    So my question is that is it pretty easy to enable Kerberos for SUN
> >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
> >
> >   We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy
> > against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary versions
> > they sold previously also use MIT Kerberos.
> >
> >   We now have several processes that regularly use only GSSAPI/SASL over
> > SSL to authenticate and communicate with LDAP.  Works very well.
> >
> > HTH,
> > Craig
> >
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Kent Wu <[hidden email]>
XSIGO INC.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: is that common to use kerberos authentication for SUN iplanet LDAP server?

Kent Wu
In reply to this post by Markus Moeller
Markus,

   I know SASL/GSSAPI can do encryption according to the document
however I tried a while back to enable the encryption against AD while
doing kerberos authentication in my C program but failed. Did you really
enable the encryption successfully in the program? If so then I must
have missing something then....

Thanks.

-Kent

On Thu, 2005-09-01 at 20:24 +0100, Markus Moeller wrote:

> Craig,
>
> you say you use SASL + SSL. As far as I know SASL/GSSAPI can do encryption
> too. What was the reason not to use SASL/GSSAPI with encryption. And example
> is AD, which can be accessed via SASL/GSSAPI with encryption.
>
> Thanks
> Markus
>
> "Craig Huckabee" <[hidden email]> wrote in message
> news:[hidden email]...
> > Kent Wu wrote:
> >>
> >>    So my question is that is it pretty easy to enable Kerberos for SUN
> >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
> >
> >   We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy
> > against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary versions
> > they sold previously also use MIT Kerberos.
> >
> >   We now have several processes that regularly use only GSSAPI/SASL over
> > SSL to authenticate and communicate with LDAP.  Works very well.
> >
> > HTH,
> > Craig
> >
> > ________________________________________________
> > Kerberos mailing list           [hidden email]
> > https://mailman.mit.edu/mailman/listinfo/kerberos
> >
>
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
--
Kent Wu <[hidden email]>
XSIGO INC.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: is that common to use kerberos authentication for SUN iplanet LDAP server?

Kent Wu
In reply to this post by Craig Huckabee
Markus,

   I know SASL/GSSAPI can do encryption according to the document
however I tried a while back to enable the encryption against AD while
doing kerberos authentication in my C program but failed. Did you really
enable the encryption successfully in the program? If so then I must
have missing something then....

Thanks.

-Kent

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of Markus Moeller
Sent: Thursday, September 01, 2005 12:24 PM
To: [hidden email]
Subject: Re: is that common to use kerberos authentication for SUN
iplanet LDAP server?

Craig,

you say you use SASL + SSL. As far as I know SASL/GSSAPI can do
encryption
too. What was the reason not to use SASL/GSSAPI with encryption. And
example
is AD, which can be accessed via SASL/GSSAPI with encryption.

Thanks
Markus

"Craig Huckabee" <[hidden email]> wrote in message
news:[hidden email]...
> Kent Wu wrote:
>>
>>    So my question is that is it pretty easy to enable Kerberos for
SUN
>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>
>   We use Sun's LDAP server with PADL's GSSAPI plugin - we built our
copy
> against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary
versions
> they sold previously also use MIT Kerberos.
>
>   We now have several processes that regularly use only GSSAPI/SASL
over
> SSL to authenticate and communicate with LDAP.  Works very well.
>
> HTH,
> Craig
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: is that common to use kerberos authentication for SUN iplanet LDAP server?

Markus Moeller
In reply to this post by Kent Wu
Kent,

I used for example ldapsearch on a standard SuSE SLES 9 system with heimdal
Kerberos, cyrus-sasl and openldap.
On another system I compiled myself MIT Kerberos, cyrus-sasl and openldap.
The capture of the ldapsearch was not readable text. Keep in mind you need
the MS pac authorisation
information in your Kerberos ticket, which means you have to authenticate to
AD.

Regards
Markus

"Kent Wu" <[hidden email]> wrote in message
news:[hidden email]...

> Markus,
>
>   I know SASL/GSSAPI can do encryption according to the document
> however I tried a while back to enable the encryption against AD while
> doing kerberos authentication in my C program but failed. Did you really
> enable the encryption successfully in the program? If so then I must
> have missing something then....
>
> Thanks.
>
> -Kent
>
> On Thu, 2005-09-01 at 20:24 +0100, Markus Moeller wrote:
>> Craig,
>>
>> you say you use SASL + SSL. As far as I know SASL/GSSAPI can do
>> encryption
>> too. What was the reason not to use SASL/GSSAPI with encryption. And
>> example
>> is AD, which can be accessed via SASL/GSSAPI with encryption.
>>
>> Thanks
>> Markus
>>
>> "Craig Huckabee" <[hidden email]> wrote in message
>> news:[hidden email]...
>> > Kent Wu wrote:
>> >>
>> >>    So my question is that is it pretty easy to enable Kerberos for SUN
>> >> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>> >
>> >   We use Sun's LDAP server with PADL's GSSAPI plugin - we built our
>> > copy
>> > against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary
>> > versions
>> > they sold previously also use MIT Kerberos.
>> >
>> >   We now have several processes that regularly use only GSSAPI/SASL
>> > over
>> > SSL to authenticate and communicate with LDAP.  Works very well.
>> >
>> > HTH,
>> > Craig
>> >
>> > ________________________________________________
>> > Kerberos mailing list           [hidden email]
>> > https://mailman.mit.edu/mailman/listinfo/kerberos
>> >
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/kerberos
> --
> Kent Wu <[hidden email]>
> XSIGO INC.
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: is that common to use kerberos authentication for SUN iplanet LDAP server?

Markus Moeller
In reply to this post by Craig Huckabee
To point 2) I would do the password change through Kerberos kpasswd or if
you need to do it as an admin I think there is also a function in the MIT
library to do so.

Regards
Markus

"Craig Huckabee" <[hidden email]> wrote in message
news:[hidden email]...

> Markus,
>
>   Two reasons:
>
>   1)  We are working towards turning off non-SSL access to our Sun LDAP
> servers.
>
>   2)  We ran into problems when talking to AD using Perl-LDAP/SASL without
> SSL.  IIRC, we couldn't do a password change over a non-SSL port - AD spit
> back an error.  Doing everything over SSL cleared up the problems.
>
> But, yes, in most cases we could just use one or the other.
>
> --Craig
>
>
> Markus Moeller wrote:
>
>> Craig,
>>
>> you say you use SASL + SSL. As far as I know SASL/GSSAPI can do
>> encryption too. What was the reason not to use SASL/GSSAPI with
>> encryption. And example is AD, which can be accessed via SASL/GSSAPI with
>> encryption.
>>
>> Thanks
>> Markus
>>
>> "Craig Huckabee" <[hidden email]> wrote in message
>> news:[hidden email]...
>>
>>>Kent Wu wrote:
>>>
>>>>   So my question is that is it pretty easy to enable Kerberos for SUN
>>>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>>>
>>>  We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy
>>> against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary
>>> versions they sold previously also use MIT Kerberos.
>>>
>>>  We now have several processes that regularly use only GSSAPI/SASL over
>>> SSL to authenticate and communicate with LDAP.  Works very well.
>>>
>>>HTH,
>>>Craig
>>>
>>>________________________________________________
>>>Kerberos mailing list           [hidden email]
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: is that common to use kerberos authentication for SUN iplanet LDAP server?

Craig Huckabee


I'm sorry, I didn't make what we're doing clear.  Our MIT KDC is our
master for our realm, our AD domain trusts that realm.  We
add/modify/delete users on our MIT KDC & AD based on our LDAP directory.

All of our user's passwords are kept solely by the KDC.  The GSSAPI LDAP
module also includes PAM functionality so our LDAP servers use pam_krb5
to authenticate - so no crypted password hashes in LDAP.  When we push
down the users to AD, we set the password field there to a long, random,
  good, password - the trust allows the users to authenticate solely
from the MIT KDC.

So, in the AD case, we just set the appropriate LDAP attribute for each
user to the crypted passwd string.  This user replication process is one
of the many tools that uses Perl-LDAP & GSSAPI/SASL.

Our tools we give our users to change their password (web based, Unix
kpasswd, and Windows Ctrl-Alt-Del still works) only need to change it on
the MIT KDC.  Those tools use the standard library functions or the
Windows equivalent.

Now if only Microsoft would fix their PKINIT implementation so it would
pass requests to trusted domains like the password functions do I'd be
happy.

Thanks,
Craig




Markus Moeller wrote:

> To point 2) I would do the password change through Kerberos kpasswd or if
> you need to do it as an admin I think there is also a function in the MIT
> library to do so.
>
> Regards
> Markus
>
> "Craig Huckabee" <[hidden email]> wrote in message
> news:[hidden email]...
>
>>Markus,
>>
>>  Two reasons:
>>
>>  1)  We are working towards turning off non-SSL access to our Sun LDAP
>>servers.
>>
>>  2)  We ran into problems when talking to AD using Perl-LDAP/SASL without
>>SSL.  IIRC, we couldn't do a password change over a non-SSL port - AD spit
>>back an error.  Doing everything over SSL cleared up the problems.
>>
>>But, yes, in most cases we could just use one or the other.
>>
>>--Craig
>>
>>
>>Markus Moeller wrote:
>>
>>
>>>Craig,
>>>
>>>you say you use SASL + SSL. As far as I know SASL/GSSAPI can do
>>>encryption too. What was the reason not to use SASL/GSSAPI with
>>>encryption. And example is AD, which can be accessed via SASL/GSSAPI with
>>>encryption.
>>>
>>>Thanks
>>>Markus
>>>
>>>"Craig Huckabee" <[hidden email]> wrote in message
>>>news:[hidden email]...
>>>
>>>
>>>>Kent Wu wrote:
>>>>
>>>>
>>>>>  So my question is that is it pretty easy to enable Kerberos for SUN
>>>>>LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>>>>
>>>> We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy
>>>>against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary
>>>>versions they sold previously also use MIT Kerberos.
>>>>
>>>> We now have several processes that regularly use only GSSAPI/SASL over
>>>>SSL to authenticate and communicate with LDAP.  Works very well.
>>>>
>>>>HTH,
>>>>Craig
>>>>
>>>>________________________________________________
>>>>Kerberos mailing list           [hidden email]
>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>
>>>
>>>
>>>
>>>
>>>________________________________________________
>>>Kerberos mailing list           [hidden email]
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>>________________________________________________
>>Kerberos mailing list           [hidden email]
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: is that common to use kerberos authentication for SUN iplanet LDAP server?

Markus Moeller
Thank you
Markus

"Craig Huckabee" <[hidden email]> wrote in message
news:[hidden email]...

>
>
> I'm sorry, I didn't make what we're doing clear.  Our MIT KDC is our
> master for our realm, our AD domain trusts that realm.  We
> add/modify/delete users on our MIT KDC & AD based on our LDAP directory.
>
> All of our user's passwords are kept solely by the KDC.  The GSSAPI LDAP
> module also includes PAM functionality so our LDAP servers use pam_krb5 to
> authenticate - so no crypted password hashes in LDAP.  When we push down
> the users to AD, we set the password field there to a long, random, good,
> password - the trust allows the users to authenticate solely from the MIT
> KDC.
>
> So, in the AD case, we just set the appropriate LDAP attribute for each
> user to the crypted passwd string.  This user replication process is one
> of the many tools that uses Perl-LDAP & GSSAPI/SASL.
>
> Our tools we give our users to change their password (web based, Unix
> kpasswd, and Windows Ctrl-Alt-Del still works) only need to change it on
> the MIT KDC.  Those tools use the standard library functions or the
> Windows equivalent.
>
> Now if only Microsoft would fix their PKINIT implementation so it would
> pass requests to trusted domains like the password functions do I'd be
> happy.
>
> Thanks,
> Craig
>
>
>
>
> Markus Moeller wrote:
>> To point 2) I would do the password change through Kerberos kpasswd or if
>> you need to do it as an admin I think there is also a function in the MIT
>> library to do so.
>>
>> Regards
>> Markus
>>
>> "Craig Huckabee" <[hidden email]> wrote in message
>> news:[hidden email]...
>>
>>>Markus,
>>>
>>>  Two reasons:
>>>
>>>  1)  We are working towards turning off non-SSL access to our Sun LDAP
>>> servers.
>>>
>>>  2)  We ran into problems when talking to AD using Perl-LDAP/SASL
>>> without SSL.  IIRC, we couldn't do a password change over a non-SSL
>>> port - AD spit back an error.  Doing everything over SSL cleared up the
>>> problems.
>>>
>>>But, yes, in most cases we could just use one or the other.
>>>
>>>--Craig
>>>
>>>
>>>Markus Moeller wrote:
>>>
>>>
>>>>Craig,
>>>>
>>>>you say you use SASL + SSL. As far as I know SASL/GSSAPI can do
>>>>encryption too. What was the reason not to use SASL/GSSAPI with
>>>>encryption. And example is AD, which can be accessed via SASL/GSSAPI
>>>>with encryption.
>>>>
>>>>Thanks
>>>>Markus
>>>>
>>>>"Craig Huckabee" <[hidden email]> wrote in message
>>>>news:[hidden email]...
>>>>
>>>>
>>>>>Kent Wu wrote:
>>>>>
>>>>>
>>>>>>  So my question is that is it pretty easy to enable Kerberos for SUN
>>>>>> LDAP after installing SEAM? Or can SUN LDAP use other KDC as well?
>>>>>
>>>>> We use Sun's LDAP server with PADL's GSSAPI plugin - we built our copy
>>>>> against MIT Kerberos 1.3.x and use MIT KDCs.  I think the binary
>>>>> versions they sold previously also use MIT Kerberos.
>>>>>
>>>>> We now have several processes that regularly use only GSSAPI/SASL over
>>>>> SSL to authenticate and communicate with LDAP.  Works very well.
>>>>>
>>>>>HTH,
>>>>>Craig
>>>>>
>>>>>________________________________________________
>>>>>Kerberos mailing list           [hidden email]
>>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>________________________________________________
>>>>Kerberos mailing list           [hidden email]
>>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>>
>>>________________________________________________
>>>Kerberos mailing list           [hidden email]
>>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>>
>>
>>
>>
>>
>> ________________________________________________
>> Kerberos mailing list           [hidden email]
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos