So far answers I've received
about this have been inconsistent at best and downright inaccurate at
worst. I'm going to try one more time and see if, at the very least,
someone can give me a lead. I ask you to consider what I'm asking
remotely possible, and then seek a solution. (Particularly before one
blasts off an ill-thought out message that says simple, "Can't be
done," simple because you've never done it or haven't heard of it being
done.) So consider this a challenge or a riddle.
- I have an OpenLDAP
directory server that I am using for user and group information. I
would like to use it also to authenticate against. This way, whatever
I hook up to it (Samba, webstuff, PHP apps, CMS) can both authenticate
and authorize from one source.
- There is a separate
Kerberos server that has users' campus-wide passwords. I have access
to it, but do not control it.
- I have a separate linux
file server running Samba. PCs and Macs will connect to it.
I know I can do Kerberos
authentication directly from Samba, but I'd prefer OpenLDAP do the
Kerberos connection. Here's why: a) I can solve the problem once,
rather than have to work out BOTH LDAP and Kerberos connections for
every new authenticated service I add, and b) LDAP hooks are more
common than Kerberos hooks for other services for which I will
eventually want authentication and authroization. And yes, I know it
breaks the Kerberos model.
The question and the challenge: Any leads on how I might convince
Samba to pass the input password on to OpenLDAP so that OpenLDAP can
authenticate it against Kerberos?
Wes
--
Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208
|