SASL, Kerberos V and LDAP

[Armin Herbert <jolo@ph-freiburg.de>]

Hi,

well perhaps this isn't the right list to ask this, but I expect that some
people here are familiar with the problem.

"My" Linux users authenticate against OpenLDAP v2.0x. Anything works fine,
but I want to add a security layer to be sure that users who want to
change their passwords (to which they are by now granted access by a "self
write" acl-entry in slapd.conf) are really the users they claim to be.

OpenLDAP uses SASL, and the more I read about it the more I wanted to use
Kerberos V with it.
But I don't really understand the principle, and I hope you can help me
with this.

When a user logs into a client, the login involves 1) authentication
against LDAP, which works fine, and 2) requesting a ticket-granting-ticket
from the Kerberos server, which should do as well.

But now when that user wants to change his password, he first has to
request a service ticket from the Kerberos server, in order to gain access
to his own password - because when he asks OpenLDAP for it without first
having a service ticket, SASL will say "no you mustn't".

So I have to install a program which, on executing "passwd", requests a
service ticket from Kerberos. I didn't find any, and pam_ldap doesn't seem
to do so as well.

Did I oversee some program, did I completely misunderstand the use of
Kerberos, or is there just no program available to do this? What would you
suggest as an alternative?


Thanks for your answers!




Armin.
-- 
Armin Herbert               PH Freiburg, ZIK
Tel: +49-761-682-289        79117 Freiburg, Germany