[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos

To: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: Authenticate to ldap using Kerberos
From: Wouter van Marle <wouter@squirrel-systems.com>
Date: Fri, 10 Sep 2010 10:37:06 +0800
Cc: openldap-technical@openldap.org
In-reply-to: <87hbhy7r1m.fsf@magenta.l4b.de>
References: <207bd0ddd5679c08fda7f7b3a0c606e5@squirrel-systems.com> <20100908171543.GD3297@dan.olp.net> <1283998880.31888.2.camel@cashew.squirrel> <20100909023432.GC2687@dan.olp.net> <1284005848.2999.1.camel@cashew.squirrel> <20100909043846.GE2687@dan.olp.net> <1284007636.3750.1.camel@cashew.squirrel> <20100909134716.GB2853@dan.olp.net> <3a61cee047cc8df6026a1bb4d219c533@squirrel-systems.com> <87hbhy7r1m.fsf@magenta.l4b.de>

Dear list,

First of all thank you for all the comments on this problem.

It seems currently the ldap implementation of evolution is blamed, which
is something I can not agree with.

At this moment, I can connect to my ldap server from Evolution,
authenticated. I have to enter a username and a password in my evo
settings, which one way or another is communicated to openldap, which
then checks this un/pw combo and considers it valid to give the
information.

So from my pov, the combination evo/openldap is working, and they are
communicating well. So in that respect evo is not the problem here, as
it supports at least one protocol to communicate authentication credits
to openldap.

Now basically the problem is that ldap is using the wrong authentication
type. Wrong as in not the one that I want it to use. It is using it's
own, internal authentication - this I want to change to an external
system. It seems I need something like you guys call 'pass-through
authentication'. And what I learnt over the last year or so when I
looked more into this and related matter, Linux provides sasl and pam as
general authentication libs, designed exactly for this purpose. Sasl and
pam even can talk to each other. 

It seems openldap supports sasl for this purpose, great. 
Today I don't have time but over the weekend or next week I'm simply
going to dig into it again and see what happens. I have the idea I'm
close to getting it to work, just some small bits and pieces.

And then the next step is going to be tls, which for some reason also
refuses to work for me :(

Wouter.

On Thu, 2010-09-09 at 19:41 +0200, Dieter Kluenter wrote:
> Wouter van Marle <wouter@squirrel-systems.com> writes:
> 
> > On 9 Sep 10, at 21:47, Dan White wrote:
> >
> >> On 09/09/10 12:47 +0800, Wouter van Marle wrote:
> [...]
> > Most important difference is that pam is not mentioned here. But then
> > from other mails I understand that slapd only wants to use saslauthd
> > and not pam.
> 
> [...]
> 
> No, slapd doesn't want saslauthd, nor pam, it is just a hack. Please
> do not use saslauthd authentication agent in a kerberized
> environment. Make use of proper nativ sasl mechanism.
> 
> -Dieter 
>

Follow-Ups:
- Re: Authenticate to ldap using Kerberos
  - From: Russ Allbery <rra@stanford.edu>

References:
- Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Authenticate to ldap using Kerberos
  - From: Wouter van Marle <wouter@squirrel-systems.com>
- Re: Authenticate to ldap using Kerberos
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: GSSAPI Bind across trusted realms
Next by Date: Re: Authenticate to ldap using Kerberos
Index(es):
- Chronological
- Thread