Re: Crazy idea - Hybrid Authentication

[Frank Swasey <Frank.Swasey@uvm.edu>]

Well, you can certainly set it up to use saslauthd for some entries and 
regular LDAP text comparison for other entries purely by what you put in 
the userPassword attribute.  The problem you will get into is how to 
write an ACL that will allow those people who are using text comparison 
to change the value of their userPassword attribute and keep those that 
have {SASL}uid@realm from touching theirs.

I know that this works with a combination of {KERBEROS}uid@realm and 
plain text values in 2.1.22 -- and I assume it will work with {SASL} in 
2.1.23.

F

Today at 2:01pm, Gary Allen Vollink wrote:

> I am aware of the possibility that this is an SASL question rather than 
> an OpenLDAP one.  If this is the case, please kindly let me know.
> 
> Is it possible to set up OpenLDAP so that users can connect to OpenLDAP 
> and be authenticated to Kerberos if such an account exists, but 
> authenticated to plain text otherwise?  Only failing after being tried 
> against both.
> 
> That is to say if I am logging into LDAP as "gvldap" that it should try 
> gvldap@CORVU.COM on my Kerberos domain, but failing that it would revert 
> to checking the password using the userPassword attribute in my LDAP 
> directory.  "dn: uid=gvldap,dc=corvu,dc=com"
> 
> For those whom are wondering what the heck I'm thinking...  This is for 
> a web site that is equally authenticated for customers and employees - 
> and I don't want to Kerberize all of my customer accounts (as the value 
> of this is not worth the time), but I do want to Kerberize my employee 
> accounts - as these will be used for system access as well as Web site 
> access.
> 
> Thank you,
> Gary Allen Vollink
> 
> 
> 

-- 
Frank Swasey                    | http://www.uvm.edu/~fcs
Systems Programmer              | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
                    === God Bless Us All ===