[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: kpasswd

To: Allan E Johannesen <aej@WPI.EDU>
Subject: Re: kpasswd
From: Frank Swasey <Frank.Swasey@uvm.edu>
Date: Thu, 16 Oct 2003 09:57:06 -0400 (EDT)
Cc: Allan Streib <astreib@indiana.edu>, "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>, Paul M Fleming <pfleming@siumed.edu>, openldap-software@OpenLDAP.org
In-reply-to: <16270.41336.808858.102511@ccc3.WPI.EDU>
References: <Pine.LNX.4.58.0310160842510.1290@ybpnyubfg.ybpnyqbznva> <3CD59F46-FFDD-11D7-B9A5-000393033826@indiana.edu> <16270.41336.808858.102511@ccc3.WPI.EDU>

Today at 9:47am, Allan E Johannesen wrote:

> >>>>> "astreib" == Allan Streib <astreib@indiana.edu> writes:
>
> astreib> Add my vote to keep it.  We use it, heavily.  We've found too many
> astreib> clients either don't handle SASL or don't handle the GSSAPI mechanism.
> astreib> Doing a simple bind over ssl/tls and providing a kerberos password is
> astreib> a great alternative.  We're not interested in doing having passwords
> astreib> anywhere but in Kerberos.
>
> Yes, I use SASL/GSSAPI for automatic identification of ldap users for those who
> have logged in to unix, who are using command lines to reference the directory.
> When that feature came around I thought it was really slick.
>
> However, I've always used, and continue to need,
>
> userPassword: {kerberos}user@domain
>
> binding for various reasons.  e.g. across the web to the directory, that
> authentication uses the ldap acl to show people different amounts of info
> depending on whether they are a user or not.
>
> I also used ldap for my primary authentication of web clients since binding to
> ldap was so much more comprehensible to me than using kerberos.
>
> If there is some way to influence ldap to use:
>
> userPassword: {sasl, via kerberos}user@domain
>
> which seems like it would remove the need for ldap to deal with kerberos on its
> own, then that would be fine with me, but I don't know how to accomplish that.

I agree with you completely.  I am in the same situation.  I must allow
simple binds (on SSL or STARTTLS connections) and I refuse to allow
passwords other than the Kerberos password to be used.  Therefore, I
need the client to think they're doing a simple bind and have the
password checked with the Kerberos V5 KDC by the server.  Whatever does
that for me is fine -- {KERBEROS}user@realm is just so easy to use and
works well.

I have never heard anyone complain that it didn't work.  I've seen LOTS
of complaints and pleas for help on this list about how SASL fails to
work.

So, where are the instructions on configuring slapd to support
kerberos password verification without the code that defining
SLAPD_KPASSWD includes?

-- 
Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
                    === God Bless Us All ===

Follow-Ups:
- Re: kpasswd
  - From: Allan E Johannesen <aej@WPI.EDU>

References:
- Re: kpasswd
  - From: Frank Swasey <Frank.Swasey@uvm.edu>
- Re: kpasswd
  - From: Allan Streib <astreib@indiana.edu>
- Re: kpasswd
  - From: Allan E Johannesen <aej@WPI.EDU>

Prev by Date: Re: kpasswd
Next by Date: active directory on existing ldap server
Index(es):
- Chronological
- Thread