[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Heimdal to LDAP integration

To: heimdal-discuss@sics.se, "Thomas Sant Ana" <mailleux@gmail.com>
Subject: Re: Heimdal to LDAP integration
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
Date: Mon, 4 Jun 2007 11:15:27 -0700
In-Reply-To: <1bbce6440706040608h7607c091wdd1eb6bb13e49185@mail.gmail.com>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <1bbce6440706040608h7607c091wdd1eb6bb13e49185@mail.gmail.com>
Reply-To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>

Two ways (other than using an LDAP back-end for Heimdal):

1) If (really big if, since I don't know) there is a password hash  
used by LDAP that matches the hash used by some one of the Kerberos  
enctypes then that password hash could be exported from LDAP and  
imported into Heimdal.  Two specific enctypes to check would be the  
RC4 one, and the single-des ones, because they're common between AD  
and Kerberos.  The XAD product had a process for importing those  
enctypes from AD into their variant of Heimdal, and Samba 4 may as well.

2) You can (and we did) write a plug-in for your LDAP server that  
will check a password from a simple bind against Kerberos.  I gather  
this is in the category of what you're not allowed to do.

On Jun 4, 2007, at 6:08 AM, Thomas Sant Ana wrote:

> People,
>
>    I have the following scenario:
>
> 1) I have a corporate LDAP to which I can bind, but cannot change  
> at all.
> 2) I have a 100 unix/linux machines that are associated to projects
>
> I would like to have a way to authenicate all my machines using the  
> password on the corporate directory, but I can't touch it. What I  
> was thinking in doing was:
>
> 1) Setup Heimdal Kerberos to authenticate users on my machines
> 2) Associate a Kerberos Principal to a LDAP DN
> 3) When an authentication is required on Kerberos, it will map to a  
> DN and attempt a bind.
>
> I've seen several howtos, describing how to link Kerberos and LDAP,  
> but all assume I can shape the LDAP as needed. This IS NOT my case,  
> I can't touch the LDAP.
>
> Is there a way to do this (we may code in C for this)?
> What is the best way to solve this?
>
> Thanks in advance,
>
>    Thomas Santana

------------------------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu

Follow-Ups:
- Re: Heimdal to LDAP integration
  - From: "Thomas Sant Ana" <mailleux@gmail.com>

References:
- Heimdal to LDAP integration
  - From: "Thomas Sant Ana" <mailleux@gmail.com>

Prev by Date: Re: segmentation fault 0.8.1 on CentOS 5
Next by Date: bswap16{32} problem
Prev by thread: Re: Heimdal to LDAP integration
Next by thread: Re: Heimdal to LDAP integration
Index(es):
- Date
- Thread