Projects/LDAP SASL support
Contents
Description
This project adds support for SASL authentication to the LDAP KDB module, based on contributions from Zoran Pericic.
Background
The LDAP Kerberos database module currently supports only simple binding using a DN and password. The configuration inputs are:
- The profile variables "ldap_kdc_dn", "ldap_kadmin_dn", and "ldap_service_password_file".
- The DB parameters "binddn" and "bindpwd".
ldap_kdc_dn is used as the DN for the KDC, and ldap_kadmin_dn for everything else. ldap_service_password_file references a file containing a hex-encoded password for each DN in a simple format.
Design
The following profile variables and database options will be added:
- "ldap_kdc_sasl_mech" and "ldap_kadmind_sasl_mech" profile variables, "sasl_mech" DB parameter
- "ldap_kdc_sasl_authcid" and "ldap_kadmind_sasl_authcid" profile variables, "sasl_authcid" DB parameter
- "ldap_kdc_sasl_authzid" and "ldap_kadmind_sasl_authzid" profile variables, "sasl_authzid" DB parameter
- "ldap_kdc_sasl_realm" and "ldap_kadmind_sasl_realm" profile variables, "sasl_realm" DB parameter
If a SASL mechanism is set, the bind DN will be ignored and a SASL interactive bind will be performed instead. Setting the authzid is only necessary for proxy authentication, which isn't a common case. For mechanisms which require a SASL secret, it will be read from the service password file, with the authentication name (authcid) as the key.
The most commonly used mechanism will likely be EXTERNAL, which does not require an authcid, realm, or secret.
If the <sasl/sasl.h> header file is not present for the build, interactive SASL mechanisms will not work (because we cannot define the interaction function), but non-interactive mechanisms such as EXTERNAL and GSSAPI will still work.
Testing
t_kdb.py will be extended to test EXTERNAL and DIGEST-MD5 authentication.
Mailing list discussions
- http://mailman.mit.edu/pipermail/krbdev/2011-November/010610.html
- http://mailman.mit.edu/pipermail/krbdev/2013-October/011781.html
Commits
89b3b6b80d4812722e8d3b02e2134ccf5d1360c2 Modernize some LDAP sources e94082d8c923cff454c1bc53b377ba394a3cec3c Add SASL support to LDAP KDB module 3902e509d0d3ad41ce3938ee11b3a3765a194238 Add tests for LDAP SASL support 15b7e405ff7b62ab96af45999d1350455948e602 Document LDAP SASL configuration
Finished in [krbdev.mit.edu #7944].
Release notes
Administrator experience:
- Add support to the LDAP KDB module for binding to the LDAP server using SASL.