[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Mapping userPassword to Kerberos 5



* Turbo Fredriksson (turbo@bayour.com) wrote:
> Quoting Stephen Frost <sfrost@snowman.net>:
> > > This is to enable simple binds (ie '-x -D .. -W') and is not necessary
> > > for GSSAPI binds. To get this part working, I think one have to compile
> > > with '--enable-kpasswd'...
> > 
> > It might be enough to compile with --enable-spasswd (SASL) and to then
> > use {SASL} in the userPassword.  I'd like to know if this actually works
> > or not...
> 
> Any idea how to use it? Is this to 'map' users to the /etc/sasldb file?

I'm not sure if it's for sasldb or if it'll work for any SASL mechanism.
If it will work for any SASL mechanism then it should be able to work
for Kerberos via the GSSAPI.  I'd expect it'd be basically the same as
the 'SASL username:' currently used.  I'm not sure how to specify which
SASL mechanism for it to use though.

> > Try using {SASL} instead since we no longer compile the Debian packages
> > with --enable-kpasswd...  If it doesn't work I'd like to know.
> 
> If I'm not mistaken, it only 'hurts' KTH Heimdal... But on the other hand,
> you're not compiling the MIT Kerberos package any more either...

I'm not sure what you mean here..  MIT Kerberos packages are most
certainly in Debian.

> It would be nice if someone could dig up the rumored patch to Cyrus SASL that
> fixes the problem for MIT Kerberos (some mutex thingie) and have that included
> in the Debian GNU/Linux package(s).

This has been done and a bug has been filed against the Cyrus SASL
packages in Debian to have that patch applied.  Hopefully there will
soon be new packages with the patch applied to deal with MIT Kerberos
not being threadsafe available in Debian/unstable.

	Stephen

Attachment: pgp5UNQJvdOQl.pgp
Description: PGP signature