On 2020-04-15T08:22:59 -0700, Dan Mahoney (Gushi) wrote: > On Wed, 15 Apr 2020, Andreas Hasenack wrote: > > > Hello, > > > > On Wed, Apr 15, 2020 at 1:54 AM Greg Hudson <ghud...@mit.edu> wrote: > >> > >> On 4/14/20 3:34 PM, Andreas Hasenack wrote:> Can mit kerberos (1.17 for > >> the purpose of this conversation) using the > >>> openldap backend (kldap) chase ldap referrals when it tries to write > >>> to an openldap replica, which is read-only? > >>> > >>> In other words, can I list both the openldap primary and its read-only > >>> replica in krb5.conf's ldap_servers parameter? > >> > >> I don't believe we support this. This came up a number of years ago: > >> > >> https://krbdev.mit.edu/rt/Ticket/Display.html?id=7754 > > I may have asked this in the past, but I'll ask it again since LDAP came > up. We have an existing Kerberos domain, but we don't use LDAP at all (we > just use puppet to handle things like user creation on servers. > > Specifically, we don't do active directory for any client workstations and > don't run windows in general -- our users own their own machines, so > there's no tie-in. It's hundreds of servers, probably ~30 users. > > I see a way to do kerberos with an LDAP backend, but not the opposite. > I'd like to "Add" openLDAP to my existing KDC, or deploy openLDAP but have > it use the KDB for authentication. (Where openLDAP would continue to do > "authorization", but some machines would be kerberos-only and have no > dependence on any LDAP systems). I don't want to have to re-key hundreds > of systems.
Yep, this is now more of an openldap than an MIT question so we're getting off-topic. That aside krb authn w/ ldap authz is a common pattern. SASL auth is probably you're looking for. https://www.openldap.org/doc/admin24/sasl.html You can either hand openldap a keytab and have it speak gssapi and/or set the user password field to the sasl backend and have it do the ldap->krb translation. If you have more questions there is an openldap mailing list. I'd recommend doing your homework, then taking this conversation over there. There is also a pretty lively IRC channel. Matt Pallissard
signature.asc
Description: PGP signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
