[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question on GSSAPI-authentication



At 07:10 AM 2002-08-27, Harry Rüter wrote:
>Now, what happens when ldapreplicator,
>who is ldapreplicator@HRNET.DE wants to authenticate ?
>
>Is it :
>  ldapreplicator@HRNET.DE
>translated to
>  uid=ldapreplicator,cn=HRNET.DE,cn=GSSAPI,cn=auth
>and then (via saslRegexp) translated to
>  uid=ldapreplicator,ou=ldap,o=myorganization,dc=hrnet,dc=de

Yes.

>So ldapreplicator must be an entry in the directory ?

No.  The resulting DN (whether its that produced automatically
or that produced through saslRegexp mapping) need not exist
in the directory.

>Which objecttclass doe he have ?

Doesn't matter.

>Or is there no need for a directory entry ?

 From GSSAPI authentication and access control perspective,
there is no need for users to have directory entries.  However,
entries for users are useful for other things...

For other mechanisms, it depends.

>What about the password ?

Since you using GSSAPI, whatever credential you provide
to get your Kerberos ticket is between you and your
KDC.  And OpenLDAP, itself, never sees the tickets.
That's left to Cyrus SASL.

>PS.: My questions maybe seems to be foolish,
>     but i have a serious problem in understanding how
>     authentication via GSSAPI really works.