[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Use GSSAPI Mechanism to authenticate against openldap server
Hi Dieter and all others,
> "S.B." <Seb.ADIO@gmx.de> writes:
>
> > Hello list,
> >
> > I'm trying to authenticate with the GSSAPI mechanism to the Openldap-Server. The
> > command ldapsearch -Y GSSAPI works find. But if I want to use it in my login process
> > with the following files: /etc/openldap/ldap.conf and /etc/ldap.conf than the Client makes
> > an anaonymous bind to the Openldap-Server.
>
> Actually, this is a PAM related question, the answer would be pam_krb5
>
> > But I can still make a simple bind with the -x option.
> > I search a solution for allowing only GSSAPI binds from the Client to the Server with a
> > TLS connection. (TLS is not the problem; it works but it is actually not activated in the
> > config file!)
>
> Manual page slapd.conf(5), security <factors>, for example
> security ssf=56 sasl=56
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> http://www.dkluenter.de
> GPG Key ID:01443B53
>
this is right pam_krb5 is the right for authentication. We actually use this for
authorisatzion. But the client should get its account data (e.g. uid, home directory) from
Openldap, but actually the Client makes an anonymous bind and he should make an
GSSAPI bind with the Kerberos-Data because we have now found a solution to allow
only GSSAPI requests. In /etc/ldap.conf we can give him a bind-dn, but the client should
authenticate with the Kerberos-Ticket of the users.
Have a nice evening.
Greetings from Germany to the whole world.
Sebastian Bickel