[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos

To: Wouter van Marle <wouter@squirrel-systems.com>
Subject: Re: Authenticate to ldap using Kerberos
From: Dan White <dwhite@olp.net>
Date: Wed, 8 Sep 2010 21:34:33 -0500
Cc: openldap <openldap-technical@openldap.org>
Content-disposition: inline
In-reply-to: <1283998880.31888.2.camel@cashew.squirrel>
References: <207bd0ddd5679c08fda7f7b3a0c606e5@squirrel-systems.com> <20100908171543.GD3297@dan.olp.net> <1283998880.31888.2.camel@cashew.squirrel>
User-agent: Mutt/1.5.20 (2009-06-14)

On 09/09/10 10:21 +0800, Wouter van Marle wrote:

That requires pass-through authentication.


I see.
Well with the above instructions nothing seems to have changed.
I have restarted saslauthd and slapd after making the changes, and when
now accessing the ldap addressbook using Evolution, I still have to use
the ldap stored password, not the krb password.

Wouter.


To be a little more explicit, to enable pass-through authentication, you
will need to replace the password (userPassword attribute) with:

userPassword: {SASL}username@realm

for instance:

dn: uid=jsmith,dc=example,dc=com
...
userPassword: {SASL}jsmith

In this case, the user will have no valid password defined in LDAP (or at
least not in the userPassword attribute).

When attempting to perform a non-sasl bind, slapd will use saslauthd to
authenticate, by taking the username (from the userPassword field), and the
password that was submitted.

--
Dan White

Follow-Ups:
- Re: Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>

References:
- Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>

Prev by Date: Re: I can't login in my system using OpenLDAP
Next by Date: GSSAPI Bind across trusted realms
Index(es):
- Chronological
- Thread