Re: Heimdal with OpenLDAP backend: Cannot open /usr/lib/hdb_ldap.so

From: O. Hartmann <ohartman_at_zedat.fu-berlin.de>
Date: Mon, 3 Nov 2014 21:24:42 +0100
Am Mon, 3 Nov 2014 12:12:03 -0500 (EST)
Benjamin Kaduk <kaduk_at_MIT.EDU> schrieb:

> On Mon, 3 Nov 2014, O. Hartmann wrote:
> 
> > On Thu, 30 Oct 2014 16:47:02 -0400 (EDT)
> > Benjamin Kaduk <kaduk_at_MIT.EDU> wrote:
> >
> > > On Thu, 30 Oct 2014, O. Hartmann wrote:
> > >
> > Indeed, I did, but I was under the impression both suites share
> > mutuality. Its long time ago since I had contact to KRB5.
> 
> The kerberos v5 protocol is an IETF standard, and a heimdal krb5 client
> will interoperate with an MIT (or even Microsoft!) server, and vice versa.
> The same cannot be said of the kadmin protocols or the database
> administration tools, as those are not part of the core kerberos v5
> protocol.
> 
> > I also sent notices to heimdal_at_h5l.org (hoping someone is listening at
> 
> I'm actually unsure whether that list is active.  I think I'm only on
> heimdal-discuss.
> 
> > > In my experience, most people getting into administering Kerberos
> > > KDCs do so by learning from someone else already doing so (usually in
> > > the same organization), so there are not always written
> > > documentation.  In my (biased) opinion, the MIT documentation is
> > > pretty good; the upstream Heimdal documentation less so.
> >
> > Well, to make it short and not to start a flame war, I disagree. In
> > my/our case, I'm the root or will become such a root to be asked. In
> > such a case good software is also measured by its documentation for
> > exactly that purpose (apart from reading/understanding the source code,
> > if available).
> 
> Between us, we still don't have enough data to say anything for sure, so
> I'll drop it.
> 
> > > (Are you even tied to Heimdal?  If not, you already found the
> > > documentation for using LDAP as a backend for an MIT KDC...)
> >
> > Well, the use of Heimdal has political issues - for the now and
> > the future. Following your recommenadations and lookig for the
> > documentation of MIT Kerberos, I realized that indeed the docs are
> > much more complete - even from the simplest point of view, namelythe
> > accesibility of the server(s) providing the documentation. But as I
> > said, the decission is a more political one.
> 
> Okay.  I can't argue with that.
> 
> > >
> > > From your later message:
> > >
> > > > The lack of documentation is simply a mess. I excluded by intention
> > > > the port security/heimdal to proof whether FreeBSD is capable of
> > > > handling a common and very usual  server task like the mentioned
> > > > scenario.
> > >
> > > I cannot agree that your mentioned scenario is common and very
> > > usual.  In my experience the majority of Unix standalone KDC
> > > deployments use the default (local) database backend, not an LDAP
> > > backend.  (Fancy things like Samba, IPA, and AD are different, but
> > > they are also not in the domain of things in the base system!)
> >
> > Well, FreBSD is supposed to handle larger environments and not
> > home-office or toy systems - that is what is always inside the messages
> > I get and that what I read "inbetween" the written rows. Logically, I
> > conclude that many others utilizing FBSD as a server backend for their
> > purposes even in larger or even big environments use RADIUS or LDAP as
> > backend in combination with Kerberos/Heimdal.
> >
> > From what experiences I exchanged with other administrators at the
> > departments, the use of OpenLDAP as a backend for kerberos/Heimdal
> > isn't that unusual due to the sophisticated replication mechanism,
> > which convinced my. I also have some specific schematics were OpenLDAP
> > as the backend would come in handy (presuming a etup which respects
> > several security issues).
> 
> Sure, an LDAP backend has nice features (it might be slower, though).  I
> don't think an attempt to bring an OpenLDAP server into the FreeBSD base
> system would succeed, though, so heimdal from ports is the only option in
> this case.
> 
> > > I don't know if you followed the MIT documentation this far, but an
> > > MIT KDC needing to authenticate to bind to its LDAP server needs to
> > > have configuration for this in kdc.conf.
> >
> > Well, the last point is making me floating dead in the water - I can
> > find some informations for MIT Kerberos V, but I can not find those for
> > heimdal and with the Heimdal documentation server down and not mirrored
> > the situation is unresovable right now.
> >
> > I can not even evaluate whether the concept I'm thinking of is possible
> > or now (lack of docs!). The OpenLDAP daemon requires TLS-secured access
> > with a certain "security strength factor" for all inbound access. Such
> > a security concept is defined in the toplevel cn=config structure.  My
> > thinking was to have an exception defined by olcAccess rulesets
> > nullifying the SSF for the localhost or the unix-domainsocket, but
> > olcAccess isn't allowed at that level - so the KDC needs to contact
> > its LDAP backend via TLS secured connectsion - and I do not know
> > whether this is possible in Heimdal - and how to configure this request
> > properly. If it is impossible, I probably have to go with a
> > client-based access via SSL certificate which drives the complexity of
> > the setup for the whole domain into problematic regions. Then your
> > suggestion of falling back to a dedicated LDAP for Kerberos might have
> > a reason (at least to me, too).
> 
> Well, a quick glance doesn't rule it out.
> https://github.com/heimdal/heimdal/blob/master/doc/setup.texi#L1123 allows
> ldaps:// urls
> https://github.com/heimdal/heimdal/commit/96e90256757c73ccf349d144e410ddf651a74cbc
> has some config knobs for a separate file for bind dn and password (as
> well as a knob for putting the bind password directly in krb5.conf?).
> 
> Note that I did not check whether all of these bits are in a released
> version of Heimdal; I gather a 1.6 release has been in preparation for
> quite some time.

The FreeBSD contribution in crypto/heimdal/lib/hdb doesn't show those additional knobs,
the same with the port security/heimdal, which is at revision 1.5.2 as far as I can
recall.

But anyway, thank you very much for this hint, very much appreciated!


> 
> > > > anything I've missed? Since I can not find any suitable
> > > > documentation (www.h5l.org/manual is dead!), I'm floating dead in
> > > > the water.
> > >
> > > I don't know of any documentation for doing this with Heimdal,
> > > sorry.  If you were using MIT Kerberos I could be more helpful.
> > >
> > > -Ben
> >
> > Thanks for your response, anyway and apologizes for my late response.
> 
> No worries about the delay; good luck in your quest to get things working.
> 
> -Ben



Received on Mon Nov 03 2014 - 19:24:53 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:53 UTC