GitHub - sebastienc/smbkrb5pwd: OpenLDAP overlay to handle synced password changes for LDAP, Samba and MIT kerberos

sebastienc / smbkrb5pwd Public

forked from opinsys/smbkrb5pwd

Notifications You must be signed in to change notification settings
Fork 0
Star 0

OpenLDAP overlay to handle synced password changes for LDAP, Samba and MIT kerberos

View license

0 stars 12 forks Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 6 Commits
LICENSE		LICENSE
Makefile		Makefile
README		README
smbkrb5pwd.c		smbkrb5pwd.c

Repository files navigation

Documentation is available at: https://github.com/opinsys/smbkrb5pwd/wiki


OVERVIEW

smbkrb5pwd is an OpenLDAP (slapd) overlay to change LDAP, Samba and MIT 
Kerberos passwords at the same time. It intercepts the LDAP 
PasswordModify Extended Operations, changes LDAP attributes for LDAP and 
Samba authentication and connects to kadmind to change the kerberos 
password. It is similar to smbk5pwd overlay for Heimdal kerberos, but 
smbkrb5pwd does not change kerberos attributes itself, but connects to 
kadmind instead. Thus smbkrb5pwd needs a kerberos principal to connect 
to kadmind to manage the user principals. MIT Kerberos can use LDAP 
backend to store its data, but it should not be necessary.

When LDAP password is changed, the overlay checks whether a principal 
uid@REALM exists and creates it if it does not. If the principal exists, 
only the password is changed.


KNOWN LIMITATIONS

* Because of locking issues, kerberos data cannot be stored in same 
  objects as users
* Principals are always named uid@REALM and cannot be changed
* If uid in LDAP is changed, the old kerberos principal is not deleted 
  automatically
* If LDAP user is deleted, the kerberos principal is not deleted 
  automatically


INSTALLATION

To compile the overlay the easiest way is to get the full source code 
for OpenLDAP and place the smbkrb5pwd directory under 
contrib/slapd-modules directory. After compiling OpenLDAP normally the 
overlay can be compiled simply by running make in the smbkrb5pwd 
directory.


cd contrib/slapd-modules/smbkrb5pwd
make
sudo cp .libs/* /usr/lib/ldap/


SLAPD CONFIGURATION

To configure the overlay, the module needs to be loaded and configured 
for the database.


dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
olcModuleload: {1}smbkrb5pwd

dn: olcOverlay={0}smbkrb5pwd,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSmbKrb5PwdConfig
olcOverlay: {0}smbkrb5pwd
olcSmbKrb5PwdEnable: samba
olcSmbKrb5PwdEnable: krb5
olcSmbKrb5PwdMustChange: 2592012
olcSmbKrb5PwdKrb5Realm: EDU.EXAMPLE.ORG
olcSmbKrb5PwdRequiredClass: posixAccount


The overlay accepts the following configuration attributes:

* olcSmbKrb5PwdEnable - samba / krb5
  - Enable samba/kerberos functionality of the module, same as 
    olcSmbK5PwdEnable in smbk5pwd. If attribute is not set or both are set, 
    both passwords are changed.
* olcSmbKrb5PwdMustChange - e.g. 31536000 (year), 2592000 (30 seconds)
  - Time in seconds before the password expires (currently affects only Samba)
* olcSmbKrb5PwdKrb5Realm - e.g. EDU.EXAMPLE.ORG
  - Kerberos realm used to create user principals
* olcSmbKrb5PwdRequiredClass - e.g. posixAccount
  - If set, the entry needs to have this object class for the kerberos 
    principal and samba passwords to be modified


KERBEROS PRINCIPAL

smbkrb5pwd connects to kadmind using a principal found in keytab file 
/etc/ldap/slapd.d/openldap-krb5.keytab. The keytab is searched for 
principal that has name smbkrb5pwd/FQDN@REALM. Note that “hostname -f” 
should return fqdn. One way to achieve this is to put fqdn as the first 
name in /etc/hosts for the server’s ip address (here 10.11.12.13):


10.11.12.13   server.edu.example.org server


Creating the principal and exporting it to a keytab file can be done 
with the following commands:


kadmin.local -q "addprinc -randkey smbkrb5pwd/server.edu.example.org@EDU.EXAMPLE.ORG"
kadmin.local -q "ktadd -e des-cbc-crc:normal -k /etc/ldap/slapd.d/openldap-krb5.keytab \
 smbkrb5pwd/server.edu.example.org@EDU.EXAMPLE.ORG"

chown openldap.openldap /etc/ldap/slapd.d/openldap-krb5.keytab


TESTING

The overlay activates itself when an password change exop request is 
made. This can be done for example with ldappasswd command:

ldappasswd -x -D uid=admin,ou=people,dc=edu,dc=example,dc=org -W \
 uid=user1,ou=people,dc=edu,dc=example,dc=org

smbkrb5pwd writes debug information to slapd’s logfile which is normally 
/var/log/syslog in Ubuntu.


LICENSE

smbkrb5pwd is based on smbk5pwd overlay that can be found under 
http://www.openldap.org/devel/cvsweb.cgi/contrib/slapd-modules/smbk5pwd
in OpenLDAP's sources. smbkrb5pwd is licensed under The OpenLDAP Public 
License that is also used for smbk5pwd.


Copyright 2004-2010 The OpenLDAP Foundation.
Portions Copyright 2004-2005 Howard Chu, Symas Corp. All rights reserved.
Portions Copyright 2010 Opinsys Oy.

Redistribution and use in source and binary forms, with or without
modification, are permitted only as authorized by the OpenLDAP
Public License.

A copy of this license is available in the file LICENSE in the
top-level directory of the distribution or, alternatively, at
<http://www.OpenLDAP.org/license.html>.