Re: openldap proxy to kerberos

2019-01-09 Thread Dieter Klünter 
Am Tue, 8 Jan 2019 15:15:39 -0500
schrieb vad...@gmail.com:

> On Tue, Jan 8, 2019 at 3:27 AM Dieter Klünter 
> wrote:
> 
> > Am Mon, 7 Jan 2019 16:18:36 -0500
> > schrieb vad...@gmail.com:
> >  
> > > I am using openldap proxy today with ldap backend.
> > >
> > > Any suggestions on how to use kerberos as the backend?
> > >  
> > [...]
> >
> > Put it the other way round, use slapd as database backend to
> > kerberos.
> > https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
> >
> >  
> 
> OK, may be then what I am really looking for is a kerberos proxy.
> 
> All my servers today sending ldap auth request to this ldap proxy and
> we want to switch to kerberos auth instead.
[...]

You may try to configure a passthrough authentication, using saslauthd.
There are some configuration examples online. Note that this requires
slapd to be compiled with '--enable-spasswd'

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: openldap proxy to kerberos

2019-01-08 Thread vadud3 
On Tue, Jan 8, 2019 at 3:27 AM Dieter Klünter  wrote:

> Am Mon, 7 Jan 2019 16:18:36 -0500
> schrieb vad...@gmail.com:
>
> > I am using openldap proxy today with ldap backend.
> >
> > Any suggestions on how to use kerberos as the backend?
> >
> [...]
>
> Put it the other way round, use slapd as database backend to kerberos.
> https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
>
>

OK, may be then what I am really looking for is a kerberos proxy.

All my servers today sending ldap auth request to this ldap proxy and we
want to switch to kerberos auth instead.



> -Dieter
> --
> Dieter Klünter | Systemberatung
> http://sys4.de
> GPG Key ID: E9ED159B
> 53°37'09,95"N
> 10°08'02,42"E
>
>

-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: openldap proxy to kerberos

2019-01-08 Thread Dieter Klünter 
Am Mon, 7 Jan 2019 16:18:36 -0500
schrieb vad...@gmail.com:

> I am using openldap proxy today with ldap backend.
> 
> Any suggestions on how to use kerberos as the backend?
> 
[...]

Put it the other way round, use slapd as database backend to kerberos. 
https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html

-Dieter
-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: openldap proxy to kerberos

2019-01-07 Thread Quanah Gibson-Mount 

--On Monday, January 07, 2019 6:39 PM -0500 vad...@gmail.com wrote:


I do not see any slapo-ldap in my search for man page in openldap site 
http://www.openldap.org/software/man.cgi?query=slapo*=0=O
penLDAP+2.4-Release=1=html


It is slapd-ldap, not slapo-ldap.


I want to start using kerberos setting like below and start using
kerberos for authentication

May be I am not understanding how to implement kerberos proxy.


Kerberos is its own protocol and set of software.  The two primary FOSS 
distributions of Kerberos are MIT and Heimdal.


You can use LDAP to store the Kerberos Database, and you can use Kerberos 
tickets to authenticate to LDAP (SASL/GSSAPI), but you cannot use LDAP as 
an in-between proxy to Kerberos, as they are entirely different protocols.


--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: openldap proxy to kerberos

2019-01-07 Thread Derek Zhou 
On Mon, Jan 07, 2019 at 04:18:36PM -0500, vad...@gmail.com wrote:
> I am using openldap proxy today with ldap backend. 
> 
> Any suggestions on how to use kerberos as the backend?
> 

Kerberos only has infomation necessary for authentication; like principals
and policies. LDAP stores much more, such as group memberships, numerical
uids, home directories, etc. So normally people use both LDAP and Kerberos,
not Kerberos alone. There are 3 ways that Kerberos and LDAP can work
together:

1, LDAP can use Kerberos to authenicate (bind) access
2, LDAP can forward authentication request to kerberos via SASL
3, Kerberos can use LDAP as a database backend

In my organization we are using 1 and 2, but not 3. I think Microsoft AD also
does something similiar under the hood.

Re: openldap proxy to kerberos

2019-01-07 Thread vadud3 
On Mon, Jan 7, 2019 at 5:53 PM Dan White  wrote:

> On 01/07/19 16:18 -0500, vad...@gmail.com wrote:
> >I am using openldap proxy today with ldap backend.
> >
> >Any suggestions on how to use kerberos as the backend?
> >
> >Here is my config (sanitized)
> >
> >$ cat slapd.conf
>
> >### Database definition (Proxy to AD)
> #
> >databaseldap
> >readonlyyes
> >protocol-version3
> >rebind-as-user  yes
> >uri "ldaps://ldap.example.com:1636"
> >suffix  "ou=People,dc=example,dc=net"
>
> I'm not clear on where kerberos authentication fits scenario, but
> the two pieces of documentation to start with would be the slapo-ldap
> manpage, and the OpenLDAP Software 2.4 Administrator's Guide, section 14.5,
> and chapter 15.
>
> If that doesn't adress your question, please provide more detail, including
> how your clients authenticate with the proxy server.
>

I do not see any slapo-ldap in my search for man page in openldap site
http://www.openldap.org/software/man.cgi?query=slapo*=0=OpenLDAP+2.4-Release=1=html

So on my client I like to point to kerberos proxy for authentication.

Today I am using ldap proxy with -H ldaps://127.0.0.1 and it works fine
like below

   ldapsearch -LLL -x -y ~/.ldap-pass -H ldaps://127.0.0.1 uid=foo

And under sssd ldap auth works fine like below

  auth_provider = ldap
  ldap_uri = ldaps://127.0.0.1


I want to start using kerberos setting like below and start using kerberos
for authentication

  auth_provider = krb5
  krb5_server = 127.0.0.1:88

But I do not have anything running on port 88




May be I am not understanding how to implement kerberos proxy.

Appreciate any help.


-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

Re: openldap proxy to kerberos

2019-01-07 Thread Dan White 

On 01/07/19 16:18 -0500, vad...@gmail.com wrote:

I am using openldap proxy today with ldap backend.

Any suggestions on how to use kerberos as the backend?

Here is my config (sanitized)

$ cat slapd.conf



### Database definition (Proxy to AD) #
databaseldap
readonlyyes
protocol-version3
rebind-as-user  yes
uri "ldaps://ldap.example.com:1636"
suffix  "ou=People,dc=example,dc=net"


I'm not clear on where kerberos authentication fits scenario, but
the two pieces of documentation to start with would be the slapo-ldap
manpage, and the OpenLDAP Software 2.4 Administrator's Guide, section 14.5,
and chapter 15.

If that doesn't adress your question, please provide more detail, including
how your clients authenticate with the proxy server.

openldap proxy to kerberos

2019-01-07 Thread vadud3 
I am using openldap proxy today with ldap backend.

Any suggestions on how to use kerberos as the backend?

Here is my config (sanitized)

$ cat slapd.conf
### Schema includes ###
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema

## Module paths ##
modulepath  /usr/lib64/openldap/
moduleload  back_ldap

# Main settings ###
pidfile /var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
sizelimit   unlimited

TLSCertificateFile  /root/data/certs/ldap.crt
TLSCertificateKeyFile   /root/data/certs/ldap.key

### Database definition (Proxy to AD) #
databaseldap
readonlyyes
protocol-version3
rebind-as-user  yes
uri "ldaps://ldap.example.com:1636"
suffix  "ou=People,dc=example,dc=net"
### Logging ###
loglevel0




-- 
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?