Kerberos/LDAP setup

From Celeste@Hoppinglife
Jump to navigation Jump to search

Kerberos/OpenLDAP is one way to set up a single sign-on authentication and authorization system.

Basic Idea

Both Kerberos and LDAP provides authentication capabilities. However, Kerberos and its generic authentication API provides a more convenient authentication system. So using Kerberos as an authentication mechanism, and use LDAP for authorization based on identity can be useful. The basic set up is as follows: we rely on Kerberos for establishing the identity of the user and use OpenLDAP's GSSAPI and mapping mechanism to map a Kerberos identity to their LDAP identity. Kerberos can be configured to save its data in the LDAP as well to keep authentication and authorization data in a centric place. Kerberos itself can authenticate to LDAP via based on its Unix user identity.

Troubleshooting

  • When updating the config of slapd, making sure the slapd.d config directory is fully cleaned, and use slaptest to regenerate the config. slapcat can be used for checking if the cn=config directory contains the desirable configurations.
  • It is sometimes useful to turn on the slapd debug messages for troubleshooting.
  • Check if authz-regexp has correct escaping.
  • ldapwhoami can be used to check if authentication to LDAP identities works or not.
Retrieved from "https://celeste.hoppinglife.com/index.php?title=Kerberos/LDAP_setup&oldid=119"