79 lines
3.2 KiB
Markdown
79 lines
3.2 KiB
Markdown
# Tracking document for new PVV kerberos auth stack
|
|
|
|
|
|
|
|
<div align="center">
|
|
Bensinstasjon på heimdal
|
|
</div>
|
|
|
|
### TODO:
|
|
|
|
- [ ] setup heimdal
|
|
- [x] ensure running with systemd
|
|
- [x] compile smbk5pwd (part of openldap)
|
|
- [ ] set `modify -a -disallow-all-tix,requires-pre-auth default` declaratively
|
|
- [ ] fully initialize PVV.NTNU.NO
|
|
- [x] `kadmin -l init PVV.NTNU.NO`
|
|
- [x] add oysteikt/admin@PVV.NTNU.NO principal
|
|
- [x] add oysteikt@PVV.NTNU.NO principal
|
|
- [x] add krbtgt/PVV.NTNU.NO@PVV.NTNU.NO principal?
|
|
- why is this needed, and where is it documented?
|
|
- `kadmin check` seems to work under sudo?
|
|
- (it is included by default, just included as error message
|
|
in a weird state)
|
|
|
|
- [x] Ensure client is working correctly
|
|
- [x] Ensure kinit works on darbu
|
|
- [x] Ensure kpasswd works on darbu
|
|
- [x] Ensure kadmin get <user> (and other restricted commands) works on darbu
|
|
|
|
- [ ] Ensure kdc is working correctly
|
|
- [x] Ensure kinit works on dagali
|
|
- [x] Ensure kpasswd works on dagali
|
|
- [ ] Ensure kadmin get <user> (and other restricte commands) works on dagali
|
|
|
|
- [x] Fix FQDN
|
|
- https://github.com/NixOS/nixpkgs/issues/94011
|
|
- https://github.com/NixOS/nixpkgs/issues/261269
|
|
- Possibly fixed by disabling systemd-resolved
|
|
|
|
- [ ] setup cyrus sasl
|
|
- [x] ensure running with systemd
|
|
- [x] verify GSSAPI support plugin is installed
|
|
- `nix-shell -p cyrus_sasl --command pluginviewer`
|
|
- [x] create "host/localhost@PVV.NTNU.NO" and export to keytab
|
|
- [x] verify cyrus sasl is able to talk to heimdal
|
|
- `sudo testsaslauthd -u oysteikt -p <password>`
|
|
- [ ] provide ldap principal to cyrus sasl through keytab
|
|
|
|
- [ ] setup openldap
|
|
- [x] ensure running with systemd
|
|
- [ ] verify openldap is able to talk to cyrus sasl
|
|
- [ ] create user for oysteikt in openldap
|
|
- [ ] authenticate openldap login through sasl
|
|
- does this require creating an ldap user?
|
|
|
|
- [ ] fix smbk5pwd integration
|
|
- [x] add smbk5pwd schemas to openldap
|
|
- [x] create openldap db for smbk5pwd with overlays
|
|
- [ ] test to ensure that user sync is working
|
|
- [ ] test as user source (replace passwd)
|
|
- [ ] test as PAM auth source
|
|
- [ ] test as auth source for 3rd party appliation
|
|
|
|
- [ ] Set up ldap administration panel
|
|
- Doesn't seem like there are many good ones out there. Maybe phpLDAPAdmin?
|
|
|
|
- [ ] Set up kerberos SRV DNS entry
|
|
|
|
### Information and URLS
|
|
|
|
- OpenLDAP SASL: https://www.openldap.org/doc/admin24/sasl.html
|
|
- Use a keytab: https://kb.iu.edu/d/aumh
|
|
- 2 ways for openldap to auth: https://security.stackexchange.com/questions/65093/how-to-test-ldap-that-authenticates-with-kerberos
|
|
- Cyrus guide OpenLDAP + SASL + GSSAPI: https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
|
|
- Configuring GSSAPI and Cyrus SASL: https://web.mit.edu/darwin/src/modules/passwordserver_sasl/cyrus_sasl/doc/gssapi.html
|
|
- PVV Kerberos docs: https://wiki.pvv.ntnu.no/wiki/Drift/Kerberos
|
|
- OpenLDAP smbk5pwd source: https://git.openldap.org/nivanova/openldap/-/tree/master/contrib/slapd-modules/smbk5pwd
|
|
- saslauthd(8): https://linux.die.net/man/8/saslauthd
|