===== Whats this? ===== **Please note:** The below can nowadays be implemented much easier using [[https://freeipa.org|FreeIPA]]. First I draftet these features, looking for a all-in-one authentication/directory solution to allow users to use singlesignon and some other features: == must-features == - sensitive network-traffic is encrypted - mutual authentication of the involved servers and clients - use OpenSource software (reusable, auditable, extandable.. no other options than that) == can-features == - verify users on linux/solaris10/hpux/aix/windows to a dir/auth-server - resolve uids/gids with the help of a dir/auth-server (nsswitch) - restrict in the directory what users can use what services/log on which servers - manage sudo-lists in central directory - make the dir/auth-server usable to authenticate users on apache (for trac, subversion etc.) - provide single sign on (user has to autheticate only one time and can use all services after that) - user can change his password on commandline After some tries the path became clear: OpenLDAP/bind/MIT-kerberos on a server. The common setup in corporations is windows-workplaced hooked into a AD-domain. The setup described here establishes a trust between the AD-server and the OpenLDAP/bind/MIT-kerberos-server, allowing the AD-domain users to use services from the MIT-kerberosrealm like logging in via ssh. Should set this up later using FreeIPA for hosting the LDAP/kerberos services. With this solution all linux/unix servers are serviced by open software, to ease debugging and operation. Using those components from i.e. RedHat one can get support if needed. Handling of windows-workplaces is done by AD-servers, a crossrealm-setup run by the MIT is apparently supported by Microsoft. ===== links ===== == generic == * https://web.mit.edu/kerberos/www/krb5-1.6 - general kerberos docs * https://www.ietf.org/rfc/rfc4120.txt -- the kerberos protocoll explained, current rfc * https://freeipa.org/ -- nice replacementproject offering ldap/kerberos/radius in one place, pushed by red hat - great stuff! == MIT-realm <-> AD-domain interaction == * https://www.usenix.org/events/lisa-nt2000/hill/hill_html/ -- presentation in MITs crossrealm setup * https://sourceforge.net/projects/sc-ap -- windows can auth directly at a kerberos-KDC, with this it can also get the other userinfo from an ldap-server == samba 3.x/4 == * https://wiki.samba.org/index.php/Samba4 -- samba4 roadmap, will directly emulate an AD-server. Now part of samba 3.x ===== snippets ===== == Having passwords in both ldap and kerberos around? == One can use "{SASL}@" in the "userPassword" attribute of the users so OpenLDAP uses the saslauthd which is configured with Kerberos as backend. Passwordchanging can be done with the pam_krb5 module. == kerberos and multihomed hosts == Host with name1.asd.net and name2.def.org dns-named. Create principals host/name1.asd.net and host/name2.def.org, store them in the keytab. Try setting 'GSSAPIStrictAcceptorCheck no' in sshd_config (this enables sshd to use the principal with name different from the hostname). Patches for this also exist, Quest is also distributing an OpenSSH-version with such a patch.