[Date Prev][Date Next] [Chronological] [Thread] [Top]

Kerberos V5 verification of simple bind password

I've searched through the archives if the answer to my question is there
just let me know..

I've got openldap 2.0.18 almost working the way I want. I have a couple
of sasl/kerberos questions.

1) Is there any way to default to a password verification method (NON
sasl) if the userpassword attribute is not found. I'd rather not have to
add a userpassword attribute for all my entries. (on a simple bind I
want to default to checking the password against SASL or Kerberos with a
fall-through to the userpassword attribute)

2) Any tricks to getting userpassword: {KERBEROS}principal working?? Is
this the correct form??


I have the following working:

SASL/KRB5 bind
simple bind with "userpassword: {SASL}userid" and "userpassword:
SASL sample apps work correctly for both cleartext verification(against
Krb5) and gssapi..
Sendmail works flawlessly using same Cyrus-SASL libraries

Some additional info:

./configure 	--enable-wrappers 
--snips from slapd.conf

sasl-secprops none
sasl-realm              "MYREALM.EDU"
sasl-host               somehost

access to attr=userPassword
       by anonymous auth
       by dn="uid=admin, o=ME, c=US" write
       by * none

access to *
        by self write
        by dn="uid=pfleming.+\+realm=MYREALM.EDU" write
        by group/groupofuniquenames/uniqueMember="cn=Calendar Server
Admins,ou=Netscape Servers,o=ME,c=US" write
        by * read