[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos

To: Howard Chu <hyc@symas.com>
Subject: Re: Authenticate to ldap using Kerberos
From: Wouter van Marle <wouter@squirrel-systems.com>
Date: Thu, 09 Sep 2010 15:12:11 +0800
Cc: Dan White <dwhite@olp.net>, openldap <openldap-technical@openldap.org>
In-reply-to: <4C888159.6010000@symas.com>
References: <207bd0ddd5679c08fda7f7b3a0c606e5@squirrel-systems.com> <20100908171543.GD3297@dan.olp.net> <1283998880.31888.2.camel@cashew.squirrel> <20100909023432.GC2687@dan.olp.net> <1284005848.2999.1.camel@cashew.squirrel> <4C888159.6010000@symas.com>

On Wed, 2010-09-08 at 23:40 -0700, Howard Chu wrote:
> Wouter van Marle wrote:
> > On Wed, 2010-09-08 at 21:34 -0500, Dan White wrote:
> >> On 09/09/10 10:21 +0800, Wouter van Marle wrote:
> >>>> That requires pass-through authentication.
> >>>
> >>> I see.
> >>> Well with the above instructions nothing seems to have changed.
> >>> I have restarted saslauthd and slapd after making the changes, and when
> >>> now accessing the ldap addressbook using Evolution, I still have to use
> >>> the ldap stored password, not the krb password.
> >>>
> >>> Wouter.
> >>
> >> To be a little more explicit, to enable pass-through authentication, you
> >> will need to replace the password (userPassword attribute) with:
> >>
> >> userPassword: {SASL}username@realm
> >
> > When I got it working I am considering to write some tutorial - maybe
> > useful. I haven't been able to find anything like it on the internet.
> > The above I have never seen; just once a suggestion to change the
> > password to {KERBEROS}username but well that also didn't work :)
> >
> > It's much harder to get working than I ever expected, really. And even
> > more so I'm surprised that openldap doesn't support this "out of the
> > box", or with some minor settings.
> 
> It is not supported out of the box because it's generally the wrong thing to 
> do. It is intentionally undocumented, to discourage people from pursuing this 
> misguided course. Use GSSAPI.

GSSAPI works:
$ ldapwhoami -h acorn.squirrel
SASL/GSSAPI authentication started
SASL username: wouter@SQUIRREL
SASL SSF: 56
SASL data security layer installed.
dn:uid=wouter,cn=gssapi,cn=auth

But for whatever reason I have no option to choose GSSAPI as ldap
authentication method in Evolution.

And actually now you start calling it "misguided course", I would really
like to know what the proper course is.

My basic request is:
- no passwords stored in the LDAP database.
- LDAP authenticates users against a Kerberos server.

After a day of googling, searching for terms like the subject of this
thread, I am not really closer to a solution. All solutions that I DID
find were following variations of what I tried to do, and what you call
misguided.

The thing that I talked about when I mentioned "support out of the box
or with minor settings" was simply the Kerberos authentication. Why
doesn't that work easily? Why can I not just tell openldap to use
kerberos, be it via PAM, via GSSAPI directly, whatever - the method I
don't care about - as long as it works. And the frustration now is that
it still doesn't work.

Wouter.

Follow-Ups:
- Re: Authenticate to ldap using Kerberos
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: Authenticate to ldap using Kerberos
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

References:
- Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: Authenticate to ldap using Kerberos
Next by Date: Re: I can't login in my system using OpenLDAP
Index(es):
- Chronological
- Thread