So, I've recently finally went about with developing my old idea of integrating Kerberos and LDAP protocols into a working proof of concept.
I've also made it into a subject of my master's thesis at PJIIT (Polish-Japanese Institute of Information Technology).
You can read the master's thesis in PDF format here. Don't pay attention to the silly title, fragments of title and introduction in polish and appendices with source code (which, above all, is available on Github). All of those were simply requirements of the institute.
The actual point of the paper is:
- to present the premise that the current stack of protocols needed to integrate Kerberos with LDAP is unnecessarily complex (think SASL, and possibly GSSAPI),
- that a simpler and more logical solution would be closely integrating the protocols by carrying Kerberos v5 messages inside LDAP v3 extended operations (exop) - resulting in a new protocol named KrbLDAP,
- present a working proof of concept.
It turns out that carrying Kerberos messages over LDAP is quite straightforward, as demonstrated in the proof of concept code, which consists of an integration test, a customized client and customized server.
On the client side, it was sufficient to make simple changes to MIT libkrb5. Currently, due to time pressure when working on the thesis, the switch to transporting krb5 over LDAP exop is hadcoded in libkrb5. It should be quite simple to make a /etc/krb5.conf config option that selectively activates this logic per KDC server. It was also necessary to make use of some actual application that uses the customized libkrb5, as a base for the automatically performed integration test. I went with PAM krb5 module as it already has a set of ready made integration tests for plain krb5.
On the server side, I needed to make a bit larger in scope, but still simple customizations. I chose Apache Directory for the server since it's a well architected, extensible implementation of both LDAP v3 and Kerberos KDC. The downside of this choice, as it turned out later into the implementation, is that Apache DS has some serious compatibility problems with standard krb5 as per RFC, and MIT krb5 client library is especially sensitive to those.
Both the server side customizations and the integration test launcher are contained in one Maven-based Java project named apacheds-krbldap-test.
The proof of concept succeeds in performing a simple Kerberos message exchange, which progresses analogously to an exchange between unmodified vanilla krb5 client and Apache DS over plain TCP-based Kerberos.
Unfortunately, due to interoperability issues between ApacheDS's KDC and MIT libkrb5, this exchange doesn't succeed in obtaining a Kerberos ticket. This is true both for KrbLDAP and classic Krb5 over TCP.
The main point of the thesis can, however, be considered proven - Kerberos can be easily transported over LDAP and this protocol stack is much simpler than having 2 separate TCP-based protocols working in concert.