Table of Contents

Whats this?

Please note: The below can nowadays be implemented much easier using FreeIPA.

First I draftet these features, looking for a all-in-one authentication/directory solution to allow users to use singlesignon and some other features:

  1. sensitive network-traffic is encrypted
  2. mutual authentication of the involved servers and clients
  3. use OpenSource software (reusable, auditable, extandable.. no other options than that)
  1. verify users on linux/solaris10/hpux/aix/windows to a dir/auth-server
  2. resolve uids/gids with the help of a dir/auth-server (nsswitch)
  3. restrict in the directory what users can use what services/log on which servers
  4. manage sudo-lists in central directory
  5. make the dir/auth-server usable to authenticate users on apache (for trac, subversion etc.)
  6. provide single sign on (user has to autheticate only one time and can use all services after that)
  7. user can change his password on commandline

After some tries the path became clear: OpenLDAP/bind/MIT-kerberos on a server. The common setup in corporations is windows-workplaced hooked into a AD-domain. The setup described here establishes a trust between the AD-server and the OpenLDAP/bind/MIT-kerberos-server, allowing the AD-domain users to use services from the MIT-kerberosrealm like logging in via ssh. Should set this up later using FreeIPA for hosting the LDAP/kerberos services.

With this solution all linux/unix servers are serviced by open software, to ease debugging and operation. Using those components from i.e. RedHat one can get support if needed. Handling of windows-workplaces is done by AD-servers, a crossrealm-setup run by the MIT is apparently supported by Microsoft.

MIT-realm <-> AD-domain interaction
samba 3.x/4


Having passwords in both ldap and kerberos around?

One can use “{SASL}<user>@<REALM>” in the “userPassword” attribute of the users so OpenLDAP uses the saslauthd which is configured with Kerberos as backend. Passwordchanging can be done with the pam_krb5 module.

kerberos and multihomed hosts

Host with and dns-named. Create principals host/ and host/, store them in the keytab. Try setting 'GSSAPIStrictAcceptorCheck no' in sshd_config (this enables sshd to use the principal with name different from the hostname). Patches for this also exist, Quest is also distributing an OpenSSH-version with such a patch.