logo_kerberos.gif

Projects/LDAP SASL support

From K5Wiki
< Projects
Revision as of 11:21, 12 August 2014 by Ghudson (talk | contribs) (New page: {{project-rel|1.13}} ==Description== This project adds support for SASL authentication to the LDAP KDB module, based on contributions from Zoran Pericic. ==Background== The LDAP Kerber...)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This project was completed in release 1.13.


Description

This project adds support for SASL authentication to the LDAP KDB module, based on contributions from Zoran Pericic.

Background

The LDAP Kerberos database module currently supports only simple binding using a DN and password. The configuration inputs are:

  • The profile variables "ldap_kdc_dn", "ldap_kadmin_dn", and "ldap_service_password_file".
  • The DB parameters "binddn" and "bindpwd".

ldap_kdc_dn is used as the DN for the KDC, and ldap_kadmin_dn for everything else. ldap_service_password_file references a file containing a hex-encoded password for each DN in a simple format.

Design

For SASL support, the following profile variables and database options will be added:

  • "ldap_kdc_sasl_mech" and "ldap_kadmind_sasl_mech" profile variables, "sasl_mech" DB parameter
  • "ldap_kdc_sasl_authcid" and "ldap_kadmind_sasl_authcid" profile variables, "sasl_authcid" DB parameter
  • "ldap_kdc_sasl_authzid" and "ldap_kadmind_sasl_authzid" profile variables, "sasl_authzid" DB parameter
  • "ldap_kdc_sasl_realm" and "ldap_kadmind_sasl_realm" profile variables, "sasl_realm" DB parameter

If a SASL mechanism is set, the bind DN will be ignored and a SASL interactive bind will be performed instead. Setting the authzid is only necessary for proxy authentication, which isn't a common case. For mechanisms which require a SASL secret, it will be read from the service password file, with the authentication name (authcid) as the key.

The most commonly used mechanism will likely be EXTERNAL, which does not require an authcid, realm, or secret.

If the <sasl/sasl.h> header file is not present for the build, interactive SASL mechanisms will not work (because we cannot define the interaction function), but non-interactive mechanisms such as EXTERNAL and GSSAPI will still work.

Testing

t_kdb.py will be extended to test EXTERNAL and DIGEST-MD5 authentication.

Mailing list discussions

http://mailman.mit.edu/pipermail/krbdev/2011-November/010610.html http://mailman.mit.edu/pipermail/krbdev/2013-October/011781.html

Release notes

Administrator experience:

  • Add support to the LDAP KDB module for binding to the LDAP server using SASL.