Michael Ströder wrote:
Xu, Qiang (FXSGSC) wrote:
-----Original Message-----
Michale wrote:
First the client has to obtain a ticket granting ticket (TGT)
from the Kerberos KDC (e.g. via GSSAPI).
Just want to know whether this process can be automatic for LDAP
client? Or I need to manually write some routines to fetch this key
for GSSAPI?
Obtaining the TGT involves the client's shared secret (derived from the
password). So you mainly need a password at the client-side.
In general, and by default, you use the kinit command to get your TGT -
/usr/bin/kinit or /usr/kerberos/bin/kinit - some operating systems have
a GUI for this, but the command line works like this:
kinit [EMAIL PROTECTED] e.g. kinit [EMAIL PROTECTED]
kinit will prompt you for your kerberos password, acquire the TGT, and
cache it. This of course assumes your kerberos configuration is set up
correctly (e.g. /etc/krb5.conf) - by default, this will create a
credentials cache (cc or ccache) under /tmp like this: /tmp/krb5cc_UID
where UID is your numeric user id.
Use the klist command to see the status of your TGT
When you use something like ldapsearch -Y GSSAPI, the kerberos
implementation will see if you have a cc, and by default it will look in
/tmp/krb5cc_UID to get them, and use them to authenticate. After you
successfully authenticate, you can use klist to see your ldap ticket
(which will also be cached in the same ccache). The ldap service
principal will usually be named ldap/[EMAIL PROTECTED]
You can specify a different krb5.conf to use with the env. var.
KRB5_CONFIG e.g.
KRB5_CONFIG=/tmp/mykrb5.conf kinit ....
You can specify a different ccache to use with KRB5CCNAME e.g.
KRB5CCNAME=/tmp/myccache kinit ....
KRB5CCNAME=/tmp/myccache ldapsearch -Y GSSAPI ....
You should make yourself a little bit comfortable with the Kerberos
protocol.
This can get tricky since there is no standardized way how
the LDAP server maps the SASL authc-ID to the authz-ID. And
how to query the authz-ID is also not supported the same way
on all LDAP servers. Which LDAP server do you plan to use?
I plan to test it against ADS LDAP server that resides in a Windows
2003 OS first, because ADS also provides Kerberos authentication at
the same time. It is bad news that different LDAP servers handle SASL
differently.
The LDAP servers do not handle the SASL bind differently. Server-side
identity mapping is handled differently.
By the way, what is authc-ID and authz-ID? What do they
refer to? Would you please elaborate on these, Mike?
The authc-ID is e.g. what the user types in as user name during
authentication. The authz-ID is what the server uses as ID for
authorization. There has to be a mapping there. Since you want to query
some user profile data you have to find out to which LDAP entry the
authc-ID is mapped. With Kerberos the authc-ID is the user's Kerberos
principal name.
With AD and SASL/Kerberos the mapping is simply the user's principal
name found in attribute 'userPrincipalName' in the user's entry. You can
use this for searching the user's entry.
Other servers implement extended operations/controls for finding out to
which authz-ID the LDAP server mapped the authc-ID.
http://tools.ietf.org/html/rfc4532
http://tools.ietf.org/html/rfc3829
I'd recommend to 1. play with the Kerberos utils on your
platform (obtaining TGT with command-line tool kinit, then
using command-line tool ldapsearch with SASL). Note that your
DNS has to be set up correctly!
I have the same thought as you these days. I want to have a Kerberos
client that can work together with the command-line tool of
ldapsearch (which works great for simple binding and search). With
these two at hand, I can use them to do testings first, and use the
testing result as a benchmark to be used in my coding later. But
although I have ldapsearch utility in our Linux environment, I can't
find a working Kerberos utility that works for Linux, or is it my
ignorance? If there is some Kerberos client that can be used in
RedHat Linux, please refer me to the location.
You could use the MIT Kerberos and cyrus-sasl packages provided with
your Linux distribution. Since you're asking here I guess you want to
use the Mozilla LDAP C API.
I'm not sure what you mean by "I can't find a working Kerberos utility
that works for Linux" - every modern linux distribution has all of the
pieces you need - kerberos, gssapi, sasl. The mozldap provided by RHEL
and Fedora have all of these - they should just work.
What version of RedHat Linux are you using?
By the way, do you have some LDAP traces with SASL binding in it?
That will be helpful, too.
I'm not sure this would help you. You should play with a test
configuration yourself.
Ciao, Michael.
_______________________________________________
dev-tech-ldap mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-ldap
