Re: SASL, Kerberos V and LDAP

[Armin Herbert <jolo@ph-freiburg.de>]

"Mark H. Wood" wrote:

> I think the confusion comes from a change in the directory's role:  from a
> *provider* of authentication (before adding Kerberos) to a *consumer* of
> authentication services (after adding Kerberos).  You'd switch from
> pam_ldap to pam_krb5 for login authentication, and any fetching of user
> data from the directory would use the ticket cache established by pam_krb5
> to authenticate to the directory service.  You could run ldapsearch in the
> login script and dig useful information out of its output, or write
> something more specific to your needs.
> 
> Kerberos would be the *only* service that knows the user's password, so
> the user would use 'kpasswd' to change it, and kpasswd knows all about
> ticket handling.  The directory wouldn't be involved at all.

I read about this way from <turbo@bayour.com> in his LDAPv3 paper, and I
don't think this is what I want (but I'm quite unsure, I'm not through all
Kerberos papers yet ..)

I thought when requesting a service ticket from Kerberos, the server could
ask ldap if the user's allowed to be on the host the request came from, at
which times he may be there etc pp. And I thought Kerberos could ask LDAP
all this through the SASL authentication/authorization "mapping".

So a user could authenticate itself to LDAP by providing a service ticket
and then changing his userPassword, which would be used by Kerberos (which
should have some sort of "trust relationship" to LDAP) to authenticate the
user to LDAP.

Login etc would still be done with pam_ldap.


Well but perhaps this is the point where I should stop thinking and start
doing ;-)




Armin.
-- 
Armin Herbert               PH Freiburg, ZIK
Tel: +49-761-682-289        79117 Freiburg, Germany