Re: Mapping userPassword to Kerberos 5

[Dieter Kluenter <dieter@dkluenter.de>]

Hi,

Benjamin Krein <superbenk@superk.org> writes:

> I've been working through the docs at www.bayour.com and have run into a
> snag due to the fact they are so dated and still work with Kerberos 4 as
> well as 5 (I'm working with 5 only).  In his doc, he states that you can
> make the users in LDAP force authentication with the KDC by using the
> following for the attribute userPassword:
>
> 	userPassword: {KERBEROS}principal@REALM
>
> However, from the little bit I know and have been reading, this seems to
> be a feature of OpenLDAP compiled with Kerberos 4 (please correct me if
> I'm wrong).  Is there another way to do this?  I ask because even though
> I've defined userPassword as above and all other tests outlined within
> the www.bayour.com docs work with my configuration (binding tests), it
> still doesn't work.
>
> I'm using Debian 3 sid with OpenLDAP 2.1.22, Kerberos 5, libsas2-gssapi
> package 2.1.12, SASL 2.1.15.

All you have to do, is edit slapd.conf with apropriate saslRegexp to
map uid to the sasl authentication string. For me following regular
expressions work

saslRegexp
     uid=(.*),cn=avci.de,cn=GSSAPI,cn=auth
     ldap:///o=avci,c=de??sub?uid=$1 
saslRegexp
    uid=(.*),cn=avci.de,cn=GSSAPI,cn=auth
    uid=$1,o=avci,c=de

Than you can call any ldapclient with the sasl mechanism GSSAPI, that
is

dieter@marin:/usr/local/bin> ./ldapwhoami -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: dieter@AVCI.DE
SASL SSF: 56
SASL installing layers
dn:cn=dieter kluenter,ou=partner,o=avci,c=de


-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de