[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mapping userPassword to Kerberos 5



* Howard Chu (hyc@highlandsun.com) wrote:
> > It might be enough to compile with --enable-spasswd (SASL) and to then
> > use {SASL} in the userPassword.  I'd like to know if this
> > actually works or not...
> 
> Why is this any better?

Mainly because it'd go through SASL and gssapi and we wouldn't have to
enable kpasswd and add the associated libs (if there are any?  I think
there are some you need...) in the compile for the Debian OpenLDAP
packages.  I realize the security implications and, as you mentioned,
pointed them out previously.

> > > With OpenLDAP 2.1.22, you MUST (!?) use the sasl-regexp option...
> 
> The sasl-regexp option ALLOWS you to map the SASL authentication DN into some
> other DN. You are not required to use it, but it's more convenient than just
> being forced to use the SASL DNs as in OpenLDAP 2.0.

I agree, it is very useful when binding to LDAP.

> > Try using {SASL} instead since we no longer compile the
> > Debian packages
> > with --enable-kpasswd...  If it doesn't work I'd like to know.
> 
> What exactly are you hoping to accomplish by using SASL to validate a
> simple-bind password? How does this have anything to do with using Kerberos
> to validate a simple-bind?

SASL will use Kerberos via GSSAPI, or other mechanisms, from my
understanding.  If this is wrong I'd like to know because it may mean we
have to turn --enable-kpasswd back on.

	Thanks,
		Stephen

Attachment: pgp8xrGR92WW3.pgp
Description: PGP signature