More work on Kerberos/LDAP/Samba intergration.

Andrew Bartlett abartlet at samba.org
Sat Feb 28 12:20:24 GMT 2004 

As a followup to my previous post on Heimdal integration, I wish to
share some further notes.  My hope is to construct a document, much like
the document that used to be available at www.bayour.com, but with a
working setup, based around Samba.

These instructions currently assume Fedora Core 1 (that's what I am
using anyway) and my modified Heimdal installed in /usr/local/heimdal. 
The KDC and LDAP servers are assumed to be started, and the LDAP server
must be restarted after config modifications.

For those not familiar with this guide, google's cache has a copy:

http://www.google.com.au/search?q=cache:rro7zxKsh6AJ:www.bayour.com/LDAPv3-HOWTO.html+bayour+ldap+kerberos&hl=en&ie=UTF-8

The integration of kerberos and LDAP is very powerful, not only for
secure systems administration, but also for single-sign-on, across many,
many platforms.  I found that my server, setup per the instructions in
my previous mail, can correctly accept GSSAPI/krb5, Plaintext LDAP and
Samba connections, all with the same, existing, Samba passwords.

The trick is to use heimdal's kadmin tool to correctly populate a local
keytab for OpenLDAP to use.  I used the default keytab,
/etc/krb5.keytab, and allowed OpenLDAP to read it:

/usr/local/heimdal/sbin/kadmin -l

kadmin> add -r ldap/<FQDN OF LDAP SERVER>@<YOUR KERBEROS REALM>
kadmin> ext ldap/<FQDN OF LDAP SERVER>@<YOUR KERBEROS REALM>

chgrp ldap /etc/krb5.keytab
chmod g+rw /etc/krb5.keytab

The OpenLDAP slapd.conf needs to be modified, to add:

sasl-realm              <YOUR KERBEROS REALM>
sasl-host               <FQDN OF LDAP SERVER>

sasl-regexp      
	uid=(.*),cn=<YOUR KERBEROS REALM>,cn=gssapi,cn=auth
	ldap:///<YOUR LDAP BASE>??sub?(uid=$1)


Then kinit as any Samba user, and run 'ldapwhoami'.  

(If this returns your 'real' DN, then the sasl-regexp stuff has worked.)

The next step is to intergrate those legacy applications that use 
'ldap authentication':  (pam_ldap and friends)

On each user, set the userPassword attribute to 
{kerberos}<USERNAME>@<YOUR KERBEROS REALM>.  This will cause OpenLDAP to 
contact the KDC, when authenticating this user.  The modified Heimdal
will honour Samba disabled and expired accounts correctly, and because
it uses the Samba passwords, we don't need to 'sync' with anything...

test with: ldapwhoami -x -D <YOUR LDAP USER DN> -W

(If that attribute is not present, make the user a simpleSecurityObject)

I intend to write a SLAPI plugin for OpenLDAP, to create this mapping
on the fly, in future.

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040228/11fd3380/attachment.bin

More information about the samba-technical mailing list