Re: MIT Kerberos5+ SASL+ OpenLdap

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 09:45 AM 5/18/2005, Manel Euro wrote:
>I am having some problems related with kerberos5, cyrus-sasl and openldap.
>A coleague of mine has a different understanding that I do so I would like to hear some opinions.
>
>Here is what I have achieved:
>
>Configured realm ABC.COM on machine server1 (MIT KERBEROS KDC).
>Configured Openldap on machine server1 dc=abc,dc=com.
>Installed Cyrus-sasl on machine server1 so openldap could use it.
>Configured pam on machine client 1 (so it gets authorization from ldap and authentication from Kerberos)
>
>Each user has the following parameters:
>Is the user information correct or does it have to be like the following:

Since credentials for GSSAPI-based Kerberos authentication
is managed by the GSSAPI implementation (in Cyrus SASL),
it is irrelevant to slapd(8) as to what user information you
have placed in the directory.  (Now, your KDC might be
directory enabled, and hence have its own user information
requirements, but these are not slapd(8)-specific
requirements.)

>In my current configuration I don't have a userPassword field.
>I believe that cyrus-sasl (gssapi) gets the information from my ticket and converts it to my dn. So, this way, I don't need to have a userPassword field.

Correct.

>Finaly,  Do I need to configure saslauthd?

Not for GSSAPI-based Kerberos authentication.  See Cyrus-SASL
for where/how saslauthd is useful.

Kurt