Difference between revisions of "Projects/LDAP SASL support"
(→Mailing list discussions) |
|||
Line 35: | Line 35: | ||
==Mailing list discussions== |
==Mailing list discussions== |
||
− | http://mailman.mit.edu/pipermail/krbdev/2011-November/010610.html |
+ | * http://mailman.mit.edu/pipermail/krbdev/2011-November/010610.html |
− | http://mailman.mit.edu/pipermail/krbdev/2013-October/011781.html |
+ | * http://mailman.mit.edu/pipermail/krbdev/2013-October/011781.html |
==Release notes== |
==Release notes== |
Revision as of 11:27, 12 August 2014
Description
This project adds support for SASL authentication to the LDAP KDB module, based on contributions from Zoran Pericic.
Background
The LDAP Kerberos database module currently supports only simple binding using a DN and password. The configuration inputs are:
- The profile variables "ldap_kdc_dn", "ldap_kadmin_dn", and "ldap_service_password_file".
- The DB parameters "binddn" and "bindpwd".
ldap_kdc_dn is used as the DN for the KDC, and ldap_kadmin_dn for everything else. ldap_service_password_file references a file containing a hex-encoded password for each DN in a simple format.
Design
The following profile variables and database options will be added:
- "ldap_kdc_sasl_mech" and "ldap_kadmind_sasl_mech" profile variables, "sasl_mech" DB parameter
- "ldap_kdc_sasl_authcid" and "ldap_kadmind_sasl_authcid" profile variables, "sasl_authcid" DB parameter
- "ldap_kdc_sasl_authzid" and "ldap_kadmind_sasl_authzid" profile variables, "sasl_authzid" DB parameter
- "ldap_kdc_sasl_realm" and "ldap_kadmind_sasl_realm" profile variables, "sasl_realm" DB parameter
If a SASL mechanism is set, the bind DN will be ignored and a SASL interactive bind will be performed instead. Setting the authzid is only necessary for proxy authentication, which isn't a common case. For mechanisms which require a SASL secret, it will be read from the service password file, with the authentication name (authcid) as the key.
The most commonly used mechanism will likely be EXTERNAL, which does not require an authcid, realm, or secret.
If the <sasl/sasl.h> header file is not present for the build, interactive SASL mechanisms will not work (because we cannot define the interaction function), but non-interactive mechanisms such as EXTERNAL and GSSAPI will still work.
Testing
t_kdb.py will be extended to test EXTERNAL and DIGEST-MD5 authentication.
Mailing list discussions
- http://mailman.mit.edu/pipermail/krbdev/2011-November/010610.html
- http://mailman.mit.edu/pipermail/krbdev/2013-October/011781.html
Release notes
Administrator experience:
- Add support to the LDAP KDB module for binding to the LDAP server using SASL.