Kerberos V5 verification of simple bind password

[Paul Fleming <pfleming@siumed.edu>]

I've searched through the archives if the answer to my question is there
just let me know..

I've got openldap 2.0.18 almost working the way I want. I have a couple
of sasl/kerberos questions.

1) Is there any way to default to a password verification method (NON
sasl) if the userpassword attribute is not found. I'd rather not have to
add a userpassword attribute for all my entries. (on a simple bind I
want to default to checking the password against SASL or Kerberos with a
fall-through to the userpassword attribute)

2) Any tricks to getting userpassword: {KERBEROS}principal working?? Is
this the correct form??

Thanks.

I have the following working:

SASL/KRB5 bind
simple bind with "userpassword: {SASL}userid" and "userpassword:
{sha}blahblah"
SASL sample apps work correctly for both cleartext verification(against
Krb5) and gssapi..
Sendmail works flawlessly using same Cyrus-SASL libraries

Some additional info:

./configure 	--enable-wrappers 
	    	--enable-cleartext 
		--with-cyrus-sasl 
		--prefix=/servers/openldap 
		--enable-spasswd 
		--enable-kpasswd
--snips from slapd.conf

sasl-secprops none
sasl-realm              "MYREALM.EDU"
sasl-host               somehost

access to attr=userPassword
       by anonymous auth
       by dn="uid=admin, o=ME, c=US" write
       by
group/groupofuniquenames/uniqueMember="cn=Administrators,o=ME,c=US"
write
       by * none

access to *
        by self write
        by dn="uid=pfleming.+\+realm=MYREALM.EDU" write
        by
group/groupofuniquenames/uniqueMember="cn=Administrators,o=ME,c=US"
write
        by group/groupofuniquenames/uniqueMember="cn=Calendar Server
Admins,ou=Netscape Servers,o=ME,c=US" write
        by * read