Skip to content

OpenLDAP overlay to handle synced password changes for LDAP, Samba and MIT kerberos

License

Notifications You must be signed in to change notification settings

wuschi/smbkrb5pwd

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Documentation is available at: https://github.com/opinsys/smbkrb5pwd/wiki


OVERVIEW

smbkrb5pwd is an OpenLDAP (slapd) overlay to change LDAP, Samba and MIT 
Kerberos passwords at the same time. It intercepts the LDAP 
PasswordModify Extended Operations and changes all the passwords. It is 
based on the smbk5pwd overlay that provides similar functionality for 
Heimdal kerberos.

The makefile creates two different versions of the overlay - smbkrb5pwd 
and smbkrb5pwd_srv. smbkrb5pwd is linked against libkadm5clnt_mit and it 
contacts kadmind to modify the kerberos principal. This was previously 
the only operation mode available. When using kadmind to modify the 
principals, smbkrb5pwd needs a kerberos principal to manage the user 
principals. MIT Kerberos can use LDAP backend to store its data, but it 
should not be necessary.

smbkrb5pwd_srv uses libkadm5srv_mit to modify the kerberos principal and 
it requires that the slapd is able to read all kerberos configuration 
files including the kerberos stash files and ldap secrets. All file 
operations are done within the slapd process so there may be security 
considerations.

When LDAP password is changed, the overlay checks whether a principal 
uid@REALM exists and creates it if it does not. If the principal exists, 
only the password is changed.


KNOWN LIMITATIONS

* Because of locking issues, kerberos data cannot be stored in same 
  objects as users
* Principals are always named uid@REALM and cannot be changed
* If uid in LDAP is changed, the old kerberos principal is not deleted 
  automatically
* If LDAP user is deleted, the kerberos principal is not deleted 
  automatically


INSTALLATION

To compile the overlay the easiest way is to get the full source code 
for OpenLDAP and place the smbkrb5pwd directory under 
contrib/slapd-modules directory. After compiling OpenLDAP normally the 
overlay can be compiled simply by running make in the smbkrb5pwd 
directory.


cd contrib/slapd-modules/smbkrb5pwd
make
sudo cp .libs/* /usr/lib/ldap/


SLAPD CONFIGURATION

To configure the overlay, the module needs to be loaded and configured 
for the database.

Depending on the version to be loaded, the module name needs to be 
changed. The older version that contacts kadmind:

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
olcModuleload: {1}smbkrb5pwd

The new mode that does not use kadmind:

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
olcModuleload: {1}smbkrb5pwd_srv

Overlay configuration is the same for both:

dn: olcOverlay={0}smbkrb5pwd,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSmbKrb5PwdConfig
olcOverlay: {0}smbkrb5pwd
olcSmbKrb5PwdEnable: samba
olcSmbKrb5PwdEnable: krb5
olcSmbKrb5PwdMustChange: 2592012
olcSmbKrb5PwdKrb5Realm: EDU.EXAMPLE.ORG
olcSmbKrb5PwdRequiredClass: posixAccount
olcSmbKrb5PwdKeepSaslIdentity: TRUE


The overlay accepts the following configuration attributes:

* olcSmbKrb5PwdEnable - samba / krb5
  - Enable samba/kerberos functionality of the module, same as 
    olcSmbK5PwdEnable in smbk5pwd. If attribute is not set or both are set, 
    both passwords are changed.
* olcSmbKrb5PwdMustChange - e.g. 31536000 (year), 2592000 (30 seconds)
  - Time in seconds before the password expires (currently affects only Samba)
* olcSmbKrb5PwdKrb5Realm - e.g. EDU.EXAMPLE.ORG
  - Kerberos realm used to create user principals
* olcSmbKrb5PwdRequiredClass - e.g. posixAccount
  - If set, the entry needs to have this object class for the kerberos 
    principal and samba passwords to be modified
* olcSmbKrb5PwdKeepSaslIdentity - TRUE / FALSE
  - If set to true and if the changed password contains a SASL identity
    ({SASL}<id>@<KERBEROS_REALM>), then smbkrb5passwd tries to restore
    this identity after the password change.


KERBEROS PRINCIPAL

smbkrb5pwd connects to kadmind using a principal found in keytab file 
/etc/ldap/slapd.d/openldap-krb5.keytab. The keytab is searched for 
principal that has name smbkrb5pwd/FQDN@REALM. Note that “hostname -f” 
should return fqdn. One way to achieve this is to put fqdn as the first 
name in /etc/hosts for the server’s ip address (here 10.11.12.13):


10.11.12.13   server.edu.example.org server


Creating the principal and exporting it to a keytab file can be done 
with the following commands:


kadmin.local -q "addprinc -randkey smbkrb5pwd/server.edu.example.org@EDU.EXAMPLE.ORG"
kadmin.local -q "ktadd -e des-cbc-crc:normal -k /etc/ldap/slapd.d/openldap-krb5.keytab \
 smbkrb5pwd/server.edu.example.org@EDU.EXAMPLE.ORG"

chown openldap.openldap /etc/ldap/slapd.d/openldap-krb5.keytab


SMBKRB5PWD_SRV FILE PERMISSIONS

smbkrb5pwd_srv needs read access to all kerberos configuration files (no 
write access is needed). On Debian/Ubuntu these files are:

/etc/krb5.conf
/etc/krb5.secrets
/etc/krb5kdc/*


TESTING

The overlay activates itself when an password change exop request is 
made. This can be done for example with ldappasswd command:

ldappasswd -x -D uid=admin,ou=people,dc=edu,dc=example,dc=org -W \
 uid=user1,ou=people,dc=edu,dc=example,dc=org

smbkrb5pwd writes debug information to slapd’s logfile which is normally 
/var/log/syslog in Ubuntu.


LICENSE

smbkrb5pwd is based on smbk5pwd overlay that can be found under 
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd
in OpenLDAP's sources. smbkrb5pwd is licensed under The OpenLDAP Public 
License that is also used for smbk5pwd.


Copyright 2004-2010 The OpenLDAP Foundation.
Portions Copyright 2004-2005 Howard Chu, Symas Corp. All rights reserved.
Portions Copyright 2010-2013 Opinsys Oy.

Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Public License.

A copy of this license is available in the file LICENSE in the
top-level directory of the distribution or, alternatively, at
<http://www.OpenLDAP.org/license.html>.

About

OpenLDAP overlay to handle synced password changes for LDAP, Samba and MIT kerberos

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • C 92.2%
  • Makefile 7.8%