[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenLDAP Backend Guide?
On Tuesday 01 April 2008 09:40:03 Love Hörnquist Åstrand wrote:
> 31 mar 2008 kl. 18.53 skrev Buchan Milne:
> > On Thursday 27 March 2008 20:56:50 billbaird3 wrote:
> >> Hi,
> >>
> >> I'm looking to setup Heimdal with an OpenLDAP backend to use with a
> >> new
> >> OpenAFS deployment. Most of the guides/howtos I have found
> >> reference old
> >> versions of OpenLDAP (2.0, 2.1, etc...current stable is 2.3) and
> >> older
> >> version of Heimdal. Is there a current guide out there? Or can anyone
> >> confirm that the steps listed in the heimdal documetation is still
> >> current?
> >> Any help would be much appreciated, thanks!
> >>
> >> http://www.h5l.org/manual/heimdal-1-1-branch/info/heimdal.html#Using-LDA
> >>P-t o-store-the-database
> >
> > The inaccuracies I see are:
> > - Does –hdb-openldap-module really work? I haven't succeeded with
> > this (so
> > heimdal in Mandriva depends on libldap).
>
> It did work, will put up an item todo before heimdal 1.2.
That would be great.
>
> > -No patching is necessary
>
> Thanks fixed the documentation.
>
> > -The sasl-regexp needs to use a correctly normalized form, e.g.:
> >
> > sasl-regexp "gidNumber=0\\\
> > +uidNumber=0,cn=peercred,cn=external,cn=auth" ....
>
> Already fixed, thanks.
>
> > -I haven't seen corruption of the krb5Key attribute (but I've only
> > used
> > hdb-ldap on OpenLDAP 2.3).
> > -I can't remember having seen hdb-ldap-structural-object do what
> > it's supposed
> > to do.
>
> Hmmm, I guess I need to check this too and write some tests for it?
Would be appreciated.
> > -The availability of the smbk5pwd overlay should probably be
> > mentioned.
>
> Can you propose a text ?
See documentation link below.
>
> > Besides these differences, no decent example is given for mapping
> > non-local-root identities to DNs, I am using this:
> >
> > sasl-regexp
> > uid=(.*),cn=ranger.dnsalias.com,cn=gssapi,cn=auth
> > ldap:///dc=ranger,dc=dnsalias,dc=com??sub?
> > (krb5PrincipalName=$1@RANGER.DNSALIAS.COM)
>
> Can you provide more text about this ? It sound very useful.
A sasl-regexp of this form allows a Kerberos Principal to be mapped to an
OpenLDAP DN of an entry with the krb5PrincipalName matching the Principal (in
this case for the RANGER.DNSALIAS.COM realm only). I could provide an example
(but don't heimdal up on the installation running on the laptop at present).
(krb5PrincipalName being case sensitive may prevent applying this to a
multi-realm environment with one sasl-regexp statement).
> >> Also, is anyone here using a combination of Heimdal, OpenLDAP,
> >> Samba w/LDAP
> >> & OpenAFS. I would love to hear any feedback about this sort of
> >> setup...
> >
> > I don't use AFS, but I have the rest working ok on my own machines
> > (totalling
> > 5).
> >
> > In my opinion, the biggest problems with such a setup relate to
> > different
> > implementations of password policy enforcement (expiry, lockout,
> > complexity)
> > which are not adhered to by more than one technology. So, while
> > OpenLDAP
> > supports having multiple password policies (which are stored in-
> > directory),
> > Heimdal doesn't. The attributes all differ, and none of the
> > technologies
> > update all the attributes (Heimdal does update Samba's pwdLastSet
> > attribute
> > IIRC, maybe others) of any of the others (let alone all). I was
> > hoping to
> > improve this on the OpenLDAP side (since it has the most comprehensive
> > password policy support), but haven't had enough time to spend on it.
> > Progress on the Kerberos end to standardise LDAP attributes for
> > Kerberos-related information would improve matters ...
>
> Is there a easy way to feed back to password updates though the openldap
> and that way make kadmin/kpasswdd use that service instead of doing it
> own ldap updates ?
The smbk5pwd overlay, updates the krb5Key and krb5KeyVersionNumber
appropriately when it receives an LDAP Password change Extended Operation:
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd/README?hideattic=1&sortbydate=0
However, to allow OpenLDAP to make policy decisions (password complexity
etc.), it needs to get the cleartext. It would be nice if Heimdal had an
option to do password changes via an LDAP password change extended operation.
One of the remaining pieces would be for one of the OpenLDAP modules (probably
smbk5pwd) to also update the Heimdal password expiry attributes according to
the password policy (as it does for the ppolicy expiry attributes).
Regards,
Buchan