[Date Prev][Date Next] [Chronological] [Thread] [Top]

SASL, Kerberos V and LDAP


well perhaps this isn't the right list to ask this, but I expect that some
people here are familiar with the problem.

"My" Linux users authenticate against OpenLDAP v2.0x. Anything works fine,
but I want to add a security layer to be sure that users who want to
change their passwords (to which they are by now granted access by a "self
write" acl-entry in slapd.conf) are really the users they claim to be.

OpenLDAP uses SASL, and the more I read about it the more I wanted to use
Kerberos V with it.
But I don't really understand the principle, and I hope you can help me
with this.

When a user logs into a client, the login involves 1) authentication
against LDAP, which works fine, and 2) requesting a ticket-granting-ticket
from the Kerberos server, which should do as well.

But now when that user wants to change his password, he first has to
request a service ticket from the Kerberos server, in order to gain access
to his own password - because when he asks OpenLDAP for it without first
having a service ticket, SASL will say "no you mustn't".

So I have to install a program which, on executing "passwd", requests a
service ticket from Kerberos. I didn't find any, and pam_ldap doesn't seem
to do so as well.

Did I oversee some program, did I completely misunderstand the use of
Kerberos, or is there just no program available to do this? What would you
suggest as an alternative?

Thanks for your answers!

Armin Herbert               PH Freiburg, ZIK
Tel: +49-761-682-289        79117 Freiburg, Germany