Linux – How to determine the Kerberos realm from an LDAP directory

I have two Kerberos realms I can authenticate against. One of them I can control, and the other one is external from my point of view. I also have an internal user database in LDAP. Let's say the realms are INTERNAL.COM and EXTERNAL.COM. In ldap I have user entries like this:

1054 uid=testuser,ou=People,dc=tml,dc=hut,dc=fi
shadowFlag: 0
shadowMin: -1
loginShell: /bin/bash
shadowInactive: -1
displayName: User Test
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uidNumber: 1059
shadowWarning: 14
uid: testuser
shadowMax: 99999
gidNumber: 1024
gecos: User Test
sn: Test
homeDirectory: /home/testuser
mail: testuser@internal.com
givenName: User
shadowLastChange: 15504
shadowExpire: 15522
cn: User.Test
userPassword: {SASL}testuser@INTERNAL.COM

What I would like to do, somehow, is to specify per-user basis to which authentication server / realm the user is authenticated against. Configuring kerberos to handle multiple realms is easy.

But how to I configure other instances, like PAM, to handle the fact that some users are from INTERNAL.COM and some from EXTERNAL.COM? There needs to be an LDAP lookup of some kind where the realm and the authentication name is fetched from, and then the actual authentication itself.

Is there a standardized way to add this information to LDAP, or look it up? Are there some other workarounds for a multi-realm user base? I might be ok with a single realm solution, too, as long as I can specify the user name – realm -combination for the user separately.

[domain/internal.com] access_provider = ldap id_provider = ldap ldap_access_filter = memberOf=cn=allowedusersinternal,ou=Groups,dc=internal,dc=com auth_provider = krb5 [domain/external.com] access_provider = ldap ldap_access_filter = memberOf=cn=allowedusersexternal,ou=Groups,dc=internal,dc=com id_provider = ldap auth_provider = krb5

Best Answer

I think the best approach would be to use sssd. This gives you the most flexiblity as sssd supports what it calls domains. Note that newer Distros already use sssd. It's a dream come true and there's no excuse to use libpam_krb5.so and libpam_ldap.so or any of those.

The simplest aproach would be to use an ldap filter for selecting into which realm you need to go to for tgts like this:

First create two security groups that contain the members for external and internal realms in order to be able to get to the proper kdc.

Setup sssd and check it's documentation, this snippet is a sketch how you need to setup the two domains.

Then configure your kerberos for the two realms according to need (but you got that already).

Best Answer

Related Solutions

Php – Seamless SSO with Kerberos, IE, Firefox, LDAP Active Directory

Redhat – passwd for ldap users

Related Topic