# Heimdal and OpenLDAP integration: some questions.



## rigoletto@ (Nov 6, 2016)

Hello!

First, this is my first attempt of dealing with Kerberos and LDAP.

I configured Heimdal in a Master/Slave fashion what seem to be working nicely, then integrated it with OpenLDAP (GSSAPI, SASL) and (I think) it is working too. Each one are installed in a different jail.

The objective is to add users to authenticate on network (FreeRadius), Nextcloud, and maybe something more in the future. Also, I am willing to each user have its own separated LDAP address book.

So, I have some noob questions:

1 - I am using Heimdal with Berkley DB backend. I understand each user I add on LDAP would need to be manually added on Heimdal database too. There is a way to automatize it, using Heimdal with OpenLDAP backend is a (proper) solution?

2 - After the entire day struggling to begin to understand the LDAP syntax, I was able to create a very basic ldif file to start with:


```
dn: dc=example,dc=ch
objectclass: dcObject
objectclass: organization
o: example.ch
dc: example

dn: ou=AddressBook,dc=example,dc=ch
objectClass: organizationalUnit
ou:AddressBook

dn: ou=Users,dc=example,dc=ch
objectclass: organizationalUnit
ou:Users

dn: cn=Manager,dc=example,dc=ch
objectclass: organizationalRole
cn: Manager

dn: uid=user1,ou=Users,dc=example,dc=ch
cn: user1
displayname: user1
gidnumber: 10000
givenname: user1
homedirectory: /Users/user1
loginshell: /bin/bash
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: user1
uid: user1
uidnumber: 10001
userpassword: {SASL}user1@EXAMPLE.CH
```

Beyond the fact I do not know if there are better options for LDAP configurations, the *user1* configuration I got from this example, but I do not think I need all those options.

I tried to modify it, removing some of that, but it give me errors because *objectclass: posixAccount *seem to need all of them.

There is another *objectclass *what will properly works for users on Heimdal/LDAP integration? I feel that configuration is a proper one for OS authentication.

3 - Any idea (or something) of how create *per user* LDAP address book? I found some information about the creation of LDAP address books but I was not able to adapt any of those to a per user basis.

Thank you!


----------



## Oko (Nov 7, 2016)

lebarondemerde said:


> Hello!
> 
> First, this is my first attempt of dealing with Kerberos and LDAP.



Unless it is a paid job that is a pretty tall order. In my lab we use LDAP for both authentication and authorization since it is behind the firewall. I use small LDAP server which is the part of OpenBSD base. It works well with OpenLDAP clients. OpenLDAP is a can of worms. Unless you need a full featured LDAP I suggest using the OpenBSD one. Kerberos  is full of security problems which nobody wants to tackle. That way was removed from the base of OpenBSD. However here at Carnegie Mellon School of computer science we used for our large network. It is really needed if you are doing authentication over the hostile network. We also use AFS (Andrew File System)  instead of NFS but that is another story.


----------



## rigoletto@ (Nov 7, 2016)

Hi Oko.

It is a personal thing, more for pleasure of learning. But indeed, at some unknown point of the future I want to interconnect two houses plus my parents house by Site-to-Site VPN, and have how to authenticate/admin between everything, including connecting laptop/smartphone by VPN - _still a personal thing anyway_. Plus, there is the Nextcloud what is exposed to the internet.

The problem of using OpenBSD for that, rely on the fact I just have one server for now what is running FreeBSD. I was thinking about to try OpenBSD these days, but it will need to wait a bit.

By security problems in Kerberos, what would be less problematic, Heimdal or MIT? Yesterday I found some vague mentions about security problems on Heimdal but it was from 2002 posts somewhere.

I was just aware of AFS due to saw it while compiling the Linux Kernel in the past, now looking for I found you are using a in-house solution. 

At the end, LDAP seem a lot more complicated than what I was thinking, and I am leaving the "Address Book" idea for now, and keep the working carddav one I already have integrated on Nextcloud.

Thank you!


----------



## Oko (Nov 7, 2016)

lebarondemerde said:


> Hi Oko.
> 
> It is a personal thing, more for pleasure of learning. But indeed, at some unknown point of the future I want to interconnect two houses plus my parents house by Site-to-Site VPN, and have how to authenticate/admin between everything, including connecting laptop/smartphone by VPN - _still a personal thing anyway_. Plus, there is the Nextcloud what is exposed to the internet.


LDAP + Kerberos for a home user is way overkill. You are looking at the serious learning curve. 



lebarondemerde said:


> The problem of using OpenBSD for that, rely on the fact I just have one server for now what is running FreeBSD. I was thinking about to try OpenBSD these days, but it will need to wait a bit.



Oh don't feel obliged to try OpenBSD. I mentioned it because it has its own LDAP server implementation which is very tiny  and rudimentary in terms of features but OK for smaller organizations. OpenLDAP is "industry standard" but it is a can of warms. It could use some real code cleaning. 



le[barondemerde said:


> By security problems in Kerberos, what would be less problematic, Heimdal or MIT? Yesterday I found some vague mentions about security problems on Heimdal but it was from 2002 posts somewhere.


Both. Heimdal is essentially the same thing as MIT Kerberos except that is coded and hosted in Sweden to bypass U.S. software (cryptography) export laws. That is also the principal reason for OpenBSD to be located in Canada in spite of the fact that largest number of developers is from U.S. 




le[barondemerde said:


> I was just aware of AFS due to saw it while compiling the Linux Kernel in the past, now looking for I found you are using a in-house solution.
> 
> At the end, LDAP seem a lot more complicated than what I was thinking, and I am leaving the "Address Book" idea for now, and keep the working carddav one I already have integrated on Nextcloud.
> 
> Thank you!



AFS was a good idea but floundered when few people from CMU wanted to make money out of it and licensed to IBM. The thing was instantaneously dead and OpenAFS was never able to pick the following. AFS started here at CMU so we are using it but there are so few places which are using it that it is statistical error. I have it mounted on my desktop at work. Desktop is Kerberized Red Hat machine running the latest OpenAFS module.


----------



## rudelgurke (Nov 7, 2016)

Hope I'm some help for the first question. The setup is:

- 2 LDAP servers (FreeBSD + Linux)
- 2 KDC's
- FreeRadius

For the Kerberos I'm using MIT with LDAP as backend. LDAP serves for NSS and passwords, Radius is used for WiFi and authentication of some devices (ScreenOS, SRX, Cisco).

The decision I made back then was separating everything from each other, so one subtree is for Radius, another one for NSS, another one for Kerberos.
The background is that the entire setup runs cross-platform (Linux + OpenSolaris + FreeBSD) and - specially Debian has the bad habit of doing a simple "useradd _debian-tor" upon installing Tor so UID's / GID's get mixed depending on what you're installing which way, not to forget NFS.
Finally a local AFS cell is running.

The LDAP tree is organized like:


```
ou=users,dc=nsa,dc=gov - for users
ou=groups,dc=nsa,dc=gov - for groups
ou=kerberos,dc=nsa,dc=gov - for Kerberos data
ou=radius,dc=nsa,dc=gov - for Radius data
```

Maybe the schema files - first a simple user, UID is 1000, GID 500, username is "example".


```
dn: uid=example,ou=users,dc=nsa,dc=gov
userPassword:: i_very_much_like_prism (of course encrypted)
loginShell: /bin/tcsh
uidNumber: 1000
gidNumber: 500
mail: example@nsa.gov
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
uid: example
gecos: A sample user
cn: example
homeDirectory: /home/example
```

I've created a simple LDIF which takes values pw / useradd etc. take as argument that is used for management - e.g. adding a new user. - so instead of "pw user add" it's calling a script that takes all arguments, running a ldapadd in background or ldapmodify.

For Kerberos - doesn't matter which backend - running "kadmin" when I wish to create a new user that should also be able to get Kerberos tickets.

Finally for FreeRadius (not that the radius.schema needs to be active):


```
dn: cn=example,ou=radius,dc=nsa,dc=gov
radiusGroupName: users
description: Radius User
objectClass: radiusprofile
objectClass: person
sn: tommy
cn: tommy
userPassword:: i_like_prism (of course encrypted)
radiusReplyItem: Cisco-AVPair += "shell:priv-lvl=15"
radiusReplyItem: Juniper-Local-User-Name += "kind_of_the_universe"
```

The last 2 lines are parsed by Radius reply to let the requesting know which kind of access should be granted.
That could maybe also be done via huntgroups as example - maybe one day I'll switch to this way.

For private / public adressbooks - guess the problem here is LDAP permissions in your LDAP server configuration to allow the "creator" modify / add new entries.
I've used a schema from http://www.openldap.org/faq/data/cache/1005.html - modified to match my local LDAP tree.[/CODE]


----------



## Oko (Nov 7, 2016)

Since we are posting files this is the form of the file I use to add new users:

```
dn: cn=oko,ou=group,dc=autonlab,dc=org
cn: oko
objectClass: top
objectClass: posixGroup
gidNumber: 1112
memberUid: oko
description: User Private Group


dn: uid=oko,ou=users,dc=autonlab,dc=org
uid: oko
cn: Joe Smith
sn: Smith
givenName: Joe
displayName: Joe Smith
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 1478215753
userPassword: {SSHA}Kg0CP2EUxwaT7HikjSefmF0tHAxXEEaY
shadowMin: 1
shadowMax: 180
shadowWarning: 7
shadowInactive: 30
shadowExpire: -1
shadowFlag: 0
loginShell: /bin/bash
uidNumber: 1112
gidNumber: 1112
homeDirectory: /zfsauton/home/oko
mail: oko@andrew.cmu.edu
gecos: Joe Smith
title: Postdoc
postalAddress: NSH 3123
postalAddress: CMU
businessCategory: Researcher
telephoneNumber: (412) 888-8888
o: Auton Lab
```


----------



## rigoletto@ (Nov 9, 2016)

Hi, sorry, I had to buy a new router and bought a Mikrotik hAP ac lite, which is nice ineed, but I need to configure some things and the RouterOS interface is not something I would call intuitive. The command line is fine but I do not know the syntax yet.

I will back on the topic soon.

Thank you.


----------

