[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mapping userPassword to Kerberos 5



Quoting Benjamin Krein <superbenk@superk.org>:

> I've been working through the docs at www.bayour.com and have run into a
> snag due to the fact they are so dated and still work with Kerberos 4 as
> well as 5 (I'm working with 5 only).  In his doc, he states that you can
> make the users in LDAP force authentication with the KDC by using the
> following for the attribute userPassword:
> 
> 	userPassword: {KERBEROS}principal@REALM

This is to enable simple binds (ie '-x -D .. -W') and is not necessary
for GSSAPI binds. To get this part working, I think one have to compile
with '--enable-kpasswd'...

Instead you should use the sasl-regexp to map your kerberos principal to
your LDAP DN.

I use this regexp (using base dn 'c=SE'):

# URI format: ldap://<host>/<base>[?[<attrs>][?[<scope>][?[<filter>]]]]
# The host part does NOT work (intentionaly, according to Kurt).
sasl-regexp             uid=(.*),cn=(.*),cn=gssapi,cn=auth
                        ldap:///c=SE??sub?(krb5PrincipalName=$1@REALM)

and making sure I use 'krb5PrincipalName=turbo@REALM' in my object...


The only reason why I still use 'userPassword: {KERBEROS}principal@REALM'
in every (user) object is because I _need_ to be able to do simple binds,
and I don't want separate passwords for the two methods (maybe I should,
a, well... :)

> However, from the little bit I know and have been reading, this seems to
> be a feature of OpenLDAP compiled with Kerberos 4 (please correct me if
> I'm wrong).

Have nothing to do with Kerberos 4.

> Is there another way to do this?  I ask because even though
> I've defined userPassword as above and all other tests outlined within
> the www.bayour.com docs work with my configuration (binding tests), it
> still doesn't work.

With OpenLDAP 2.1.22, you MUST (!?) use the sasl-regexp option...

> I'm using Debian 3 sid with OpenLDAP 2.1.22, Kerberos 5, libsas2-gssapi
> package 2.1.12, SASL 2.1.15.

I've just started with OpenLDAP 2.1.22, Cyrus SASL 2.1.12, so I'm not 100%
certain how to get it working properly.
-- 
congress Nazi cryptographic killed KGB Qaddafi Panama Peking Kennedy
Rule Psix $400 million in gold bullion Marxist subway quiche attack
[See http://www.aclu.org/echelonwatch/index.html for more about this]