Table of Contents
Advertisement
47.11.1 Using Kerberos Authentication with
You should now be able to use tools, such as ldapsearch, with Kerberos authentication
automatically.
ldapsearch -b ou=people,dc=example,dc=com '(uid=newbie)'
SASL/GSSAPI authentication started
SASL SSF: 56
SASL installing layers
[...]
# newbie, people, example.com
dn: uid=newbie,ou=people,dc=example,dc=com
uid: newbie
cn: Olaf Kirch
[...]
As you can see, ldapsearch prints a message that it started GSSAPI authentication. The
next message is very cryptic, but it shows that the security strength factor (SSF for
short) is 56 (The value 56 is somewhat arbitrary. Most likely it was chosen because
this is the number of bits in a DES encryption key). What this tells you is that GSSAPI
authentication was successful and that encryption is being used to provide integrity
protection and confidentiality for the LDAP connection.
In Kerberos, authentication is always mutual. This means that not only have you authen-
ticated yourself to the LDAP server, but also the LDAP server authenticated itself to
you. In particular, this means communication is with the desired LDAP server, rather
than some bogus service set up by an attacker.
47.11.2 Kerberos Authentication and LDAP
Now, allow each user to modify the login shell attribute of their LDAP user record.
Assuming you have a schema where the LDAP entry of user joe is located at uid=
joe,ou=people,dc=example,dc=com, set up the following access controls in
/etc/openldap/slapd.conf:
# This is required for things to work _at all_
access to dn.base="" by * read
# Let each user change their login shell
870
Installation and Administration
LDAP
Access Control
Advertisement
Table of Contents
Troubleshooting
