logo_kerberos.gif

Projects/LDAP SASL support

From K5Wiki
< Projects
Revision as of 13:59, 12 August 2014 by Ghudson (talk | contribs) (Commits)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
This project was completed in release 1.13.


Description

This project adds support for SASL authentication to the LDAP KDB module, based on contributions from Zoran Pericic.

Background

The LDAP Kerberos database module currently supports only simple binding using a DN and password. The configuration inputs are:

  • The profile variables "ldap_kdc_dn", "ldap_kadmin_dn", and "ldap_service_password_file".
  • The DB parameters "binddn" and "bindpwd".

ldap_kdc_dn is used as the DN for the KDC, and ldap_kadmin_dn for everything else. ldap_service_password_file references a file containing a hex-encoded password for each DN in a simple format.

Design

The following profile variables and database options will be added:

  • "ldap_kdc_sasl_mech" and "ldap_kadmind_sasl_mech" profile variables, "sasl_mech" DB parameter
  • "ldap_kdc_sasl_authcid" and "ldap_kadmind_sasl_authcid" profile variables, "sasl_authcid" DB parameter
  • "ldap_kdc_sasl_authzid" and "ldap_kadmind_sasl_authzid" profile variables, "sasl_authzid" DB parameter
  • "ldap_kdc_sasl_realm" and "ldap_kadmind_sasl_realm" profile variables, "sasl_realm" DB parameter

If a SASL mechanism is set, the bind DN will be ignored and a SASL interactive bind will be performed instead. Setting the authzid is only necessary for proxy authentication, which isn't a common case. For mechanisms which require a SASL secret, it will be read from the service password file, with the authentication name (authcid) as the key.

The most commonly used mechanism will likely be EXTERNAL, which does not require an authcid, realm, or secret.

If the <sasl/sasl.h> header file is not present for the build, interactive SASL mechanisms will not work (because we cannot define the interaction function), but non-interactive mechanisms such as EXTERNAL and GSSAPI will still work.

Testing

t_kdb.py will be extended to test EXTERNAL and DIGEST-MD5 authentication.

Mailing list discussions

Commits

   89b3b6b80d4812722e8d3b02e2134ccf5d1360c2 Modernize some LDAP sources
   e94082d8c923cff454c1bc53b377ba394a3cec3c Add SASL support to LDAP KDB module
   3902e509d0d3ad41ce3938ee11b3a3765a194238 Add tests for LDAP SASL support
   15b7e405ff7b62ab96af45999d1350455948e602 Document LDAP SASL configuration

Finished in [krbdev.mit.edu #7944].

Release notes

Administrator experience:

  • Add support to the LDAP KDB module for binding to the LDAP server using SASL.