[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Cyrus SASL w/GSSAPI



Title: RE: Cyrus SASL w/GSSAPI

>>But now I don't know what client the users might have - they may not have the nice client >>that OpenLdap provides, so we need to also authenticate via simple and hope for the same

>>result... but it seems to ignore the "userPassword: {SASL}usename" entry:

Kurt replied:

>This uses whatever password check method Cyrus SASL is configured
>to use (which can be per application).  The default is SASLdb.
>The latest version of Cyrus SASL doesn't support Kerberos 5 check
>directly (thought it would be trivial to add), but you can do
>it via PAM.  However, you could just use the "{KERBEROS}principal"
>scheme instead.  Note: simple authentication should only be used
>when there is adequate privacy protections.

Strange that Cyrus would supply a complete Kerberos 5 implementation but not provide a check
directly...  anyway I tried the "{KERBEROS}principal" scheme but could not get it to work.
Is that for Kerberos V4 only?  I can only use V5.

Having OpenLDAP work with Kerberos 5 is wonderful.  It's something we've been needing for a long time.  But since I can't know that a client is also kerberized, I have to support simple authentication as well.  I know it's not safe, but neither is telnet and we have to support that too (at least for now).  So, if the Kerberos 5 check "would be trivial to add", who would have to add it?  The Cyrus people, Openldap people or both?  Who do I have to convince that this would REALLY be a worthwhile thing to do?  Thanks for all your help.