User Mangment: LDAP, AFS, Kerberos

[David Z Maze]

Raffaele Sandrini <rasa@gmx.ch> writes:

> I'm thinking about creating a central managed user and data system
> here. It should use AFS (OpenAFS) as virtual filesystem and LDAP
> (OpenLDAP) as User and Comuter info Database. I tried this earlier
> but it ended in more than one user database (LDAP and AFS (kerberos
> 4)). I thought of using Kerberos 5 as login and credentials manager
> because its very secure.

(You might clarify your terminology and motivations here. Do you have
other services that would benefit from having Kerberos around [IMAP
comes to mind]? I've generally heard it recommended that people use
the krb5 KDC with OpenAFS, but you can in principle use the AFS
kaserver just as well.)

> I am not sure if it is possible for this three compnents (AFS,LDAP
> and Kerberos 5) to interact together using LDAP as central
> infobase. M$ has managed to get that to work with its AD and Login
> system and DFS wich is all kerberos 5 based.

At MIT, there's some local very ugly glue that tries to keep
everything synchronized. At the very least, you need to make sure
that a given user has a Kerberos identity, an AFS pts identity, and an
AFS home directory, in addition to an LDAP entry. When new users are
created, all of these things need to be set up, and when users are
deactivated, they need to go away. You also might consider that it's
possible to give a machine a Kerberos entry (and a /etc/krb5.keytab)
but not give it a pts identity, or a pts identity but not an AFS
directory.

> There are several issues wich need to be thought about:
> - Is there a need for Kerberos 5? Is LDAP over SSL not equal secure?

"Is there a need for breakfast cereal? Does not copy paper provide
fiber?" Really, these are two completely separate things.

> - Is there a possiblity to trim OpenAFS to LDAP so that it not uses
> its own userdatabases?

I don't believe so.

> - If Kerberos 5 is needed is there a way to trim it to LDAP?

I don't believe so. (But you have the same issues with kaserver as
you would with the krb5 KDC.)

> The system should be the most secure and the most simple one :)).

You should consider what you really mean as "secure". On Athena
(MIT's computing system), for example, the root password for cluster
machines is fairly public, but being root on a given machine gives you
very little power to break into other people's accounts. Unencrypted
telnet and FTP have both been disabled on officially maintained
machines to try to limit the amount of password sniffing on the
network, but denial-of-service attacks (in the form of file-sharing
programs) are a major issue. Sadly, security and simplicity generally
don't go together. (Consider that your pointy-haired boss probably
wants everything to be available on the Web, but Kerberos and HTTP
don't play together well, and the browser they want to use is probably
closed-source anyways.)

--
David Maze [email]dmaze@debian.org[/email] [url]http://people.debian.org/~dmaze/[/url]
"Theoretical politics is interesting. Politicking should be illegal."
-- Abra Mitchell


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Todd Pytel]

Excellent comments by David. Just to add a few things...

On Fri, 01 Aug 2003 11:26:21 -0400
David Z Maze <dmaze@debian.org> wrote:

> Raffaele Sandrini <rasa@gmx.ch> writes:
>

> > I am not sure if it is possible for this three compnents (AFS,LDAP
> > and Kerberos 5) to interact together using LDAP as central
> > infobase. M$ has managed to get that to work with its AD and Login
> > system and DFS wich is all kerberos 5 based.

Much of that unification is done behind the scenes. Passwords are still
kept in a Kerberos database, not in LDAP/AD, which means that there is
at least a simple hash between usernames and passwords in Kerberos, if
nothing else. I've never looked into DFS, so I can't comment on the
architecture, but from what I understand AFS is considerably more
sophisticated than DFS anyway, so they are probably not directly
comparable.

> At MIT, there's some local very ugly glue that tries to keep
> everything synchronized.

And there is similar glue pretty much everywhere else. All the pieces
are modular enough to be strung together easily. If it's not worth an
hour or two to create some simple scripts, then your site shouldn't be
using these systems.

> > There are several issues wich need to be thought about:
> > - Is there a need for Kerberos 5? Is LDAP over SSL not equal secure?

>
> "Is there a need for breakfast cereal? Does not copy paper provide
> fiber?" Really, these are two completely separate things.

LOL. To be less witty, LDAP is designed to distribute information,
Kerberos is designed to keep it private. Add to that the fact that
Kerberos is an accepted standard for authentication of other network
services, and you can see why it's around. Again, build some scripts -
it's no big deal.

> > - Is there a possiblity to trim OpenAFS to LDAP so that it not uses
> > its own userdatabases?

>
> I don't believe so.

Correct. This is not possible. You must have a pts server and some
form of Kerberos.

> > - If Kerberos 5 is needed is there a way to trim it to LDAP?

>
> I don't believe so. (But you have the same issues with kaserver as
> you would with the krb5 KDC.)

You mean something like LDAPv3 with a K5 authentication backend? Or you
mean something like eliminating pts and getting file permissions through
LDAP? I think it's the latter, in which case the answer is still no.
But there's nothing keeping you from adding pts info to your schema and
managing pts by grabbing info from LDAP.

> > The system should be the most secure and the most simple one :)).

It's nice to say that, but you're asking about some extremely
powerful systems, designed to serve 1000's of users in a huge
variety of network environments. Consider whether you really need AFS.
If you just want everything in LDAP, you should be able to set up Samba
servers that auth against an LDAP backend. You could cut Kerberos and
AFS out altogether then, at the cost of slightly less password security
on the wire.

--Todd


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Ken McCord]

Turbo Fredriksson has a good write-up at
[url]http://www.bayour.com/LDAPv3-HOWTO.html[/url] regarding Kerberos and
OpenLDAP. I'm working on a similiar project attempting to integrate
OpenLDAP, Kerberos and OpenAFS. IBM Germany has an interesting
project/product as well. Here's a pdf link to a product presentation:
[url]http://www.linux-verband.de/veranstaltungen/v_event/syn2003/live-oehme-20030416.pdf[/url]

Email me off-line if you want a copy of my docs (so far). They include
Debian base system installation, OpenLDAP installation/configuration
(Primary and Secondary servers) and Kerberos V
installation/configuration (Primary and Secondary). Some other stuff as
well...

Ken McCord



Todd Pytel wrote:

>Excellent comments by David. Just to add a few things...
>
>On Fri, 01 Aug 2003 11:26:21 -0400
>David Z Maze <dmaze@debian.org> wrote:
>
>
>

>>Raffaele Sandrini <rasa@gmx.ch> writes:
>>
>>
>>

>>>I am not sure if it is possible for this three compnents (AFS,LDAP
>>>and Kerberos 5) to interact together using LDAP as central
>>>infobase. M$ has managed to get that to work with its AD and Login
>>>system and DFS wich is all kerberos 5 based.
>>>
>>>

>
>Much of that unification is done behind the scenes. Passwords are still
>kept in a Kerberos database, not in LDAP/AD, which means that there is
>at least a simple hash between usernames and passwords in Kerberos, if
>nothing else. I've never looked into DFS, so I can't comment on the
>architecture, but from what I understand AFS is considerably more
>sophisticated than DFS anyway, so they are probably not directly
>comparable.
>
>
>

>>At MIT, there's some local very ugly glue that tries to keep
>>everything synchronized.
>>
>>

>
>And there is similar glue pretty much everywhere else. All the pieces
>are modular enough to be strung together easily. If it's not worth an
>hour or two to create some simple scripts, then your site shouldn't be
>using these systems.
>
>
>

>>>There are several issues wich need to be thought about:
>>>- Is there a need for Kerberos 5? Is LDAP over SSL not equal secure?
>>>
>>>

>>"Is there a need for breakfast cereal? Does not copy paper provide
>>fiber?" Really, these are two completely separate things.
>>
>>

>
>LOL. To be less witty, LDAP is designed to distribute information,
>Kerberos is designed to keep it private. Add to that the fact that
>Kerberos is an accepted standard for authentication of other network
>services, and you can see why it's around. Again, build some scripts -
>it's no big deal.
>
>
>

>>>- Is there a possiblity to trim OpenAFS to LDAP so that it not uses
>>> its own userdatabases?
>>>
>>>

>>I don't believe so.
>>
>>

>
>Correct. This is not possible. You must have a pts server and some
>form of Kerberos.
>
>
>

>>>- If Kerberos 5 is needed is there a way to trim it to LDAP?
>>>
>>>

>>I don't believe so. (But you have the same issues with kaserver as
>>you would with the krb5 KDC.)
>>
>>

>
>You mean something like LDAPv3 with a K5 authentication backend? Or you
>mean something like eliminating pts and getting file permissions through
>LDAP? I think it's the latter, in which case the answer is still no.
>But there's nothing keeping you from adding pts info to your schema and
>managing pts by grabbing info from LDAP.
>
>
>

>>>The system should be the most secure and the most simple one :)).
>>>
>>>

>
>It's nice to say that, but you're asking about some extremely
>powerful systems, designed to serve 1000's of users in a huge
>variety of network environments. Consider whether you really need AFS.
>If you just want everything in LDAP, you should be able to set up Samba
>servers that auth against an LDAP backend. You could cut Kerberos and
>AFS out altogether then, at the cost of slightly less password security
>on the wire.
>
>--Todd
>
>
>
>

--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]

[Toens Bueker]

Ken McCord <ken@themccords.com> wrote:

> Turbo Fredriksson has a good write-up at
> [url]http://www.bayour.com/LDAPv3-HOWTO.html[/url] regarding Kerberos and
> OpenLDAP. I'm working on a similiar project attempting to integrate
> OpenLDAP, Kerberos and OpenAFS. IBM Germany has an interesting
> project/product as well. Here's a pdf link to a product presentation:
> [url]http://www.linux-verband.de/veranstaltungen/v_event/syn2003/live-oehme-20030416.pdf[/url]
>
> Email me off-line if you want a copy of my docs (so far). They include
> Debian base system installation, OpenLDAP installation/configuration
> (Primary and Secondary servers) and Kerberos V
> installation/configuration (Primary and Secondary). Some other stuff as
> well...

Maybe [url]http://www.boxedpenguin.com/[/url] is another interesting
project in this context (although it has been abandoned
imho).

I would be interested in your docs, as well.

by
Töns
--
There is no safe distance.


--
To UNSUBSCRIBE, email to [email]debian-user-request@lists.debian.org[/email]
with a subject of "unsubscribe". Trouble? Contact [email]listmaster@lists.debian.org[/email]