[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mapping userPassword to Kerberos 5



* Turbo Fredriksson (turbo@bayour.com) wrote:
> Quoting Benjamin Krein <superbenk@superk.org>:
> 
> > I've been working through the docs at www.bayour.com and have run into a
> > snag due to the fact they are so dated and still work with Kerberos 4 as
> > well as 5 (I'm working with 5 only).  In his doc, he states that you can
> > make the users in LDAP force authentication with the KDC by using the
> > following for the attribute userPassword:
> > 
> > 	userPassword: {KERBEROS}principal@REALM
> 
> This is to enable simple binds (ie '-x -D .. -W') and is not necessary
> for GSSAPI binds. To get this part working, I think one have to compile
> with '--enable-kpasswd'...

It might be enough to compile with --enable-spasswd (SASL) and to then
use {SASL} in the userPassword.  I'd like to know if this actually works
or not...

> The only reason why I still use 'userPassword: {KERBEROS}principal@REALM'
> in every (user) object is because I _need_ to be able to do simple binds,
> and I don't want separate passwords for the two methods (maybe I should,
> a, well... :)
[...]
> With OpenLDAP 2.1.22, you MUST (!?) use the sasl-regexp option...

It's not the same thing as you pointed out above.  One is for simple
binds using a password given to slapd in plaintext and the other is
using SASL to do the bind.

> > I'm using Debian 3 sid with OpenLDAP 2.1.22, Kerberos 5, libsas2-gssapi
> > package 2.1.12, SASL 2.1.15.
> 
> I've just started with OpenLDAP 2.1.22, Cyrus SASL 2.1.12, so I'm not 100%
> certain how to get it working properly.

Try using {SASL} instead since we no longer compile the Debian packages
with --enable-kpasswd...  If it doesn't work I'd like to know.

	Thanks,
	
		Stephen

Attachment: pgpEVNhfRPj1q.pgp
Description: PGP signature