[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Mapping userPassword to Kerberos 5

> -----Original Message-----
> From: Stephen Frost [mailto:sfrost@snowman.net]

> * Howard Chu (hyc@highlandsun.com) wrote:
> > > It might be enough to compile with --enable-spasswd
> (SASL) and to then
> > > use {SASL} in the userPassword.  I'd like to know if this
> > > actually works or not...
> >
> > Why is this any better?
> Mainly because it'd go through SASL and gssapi and we wouldn't have to
> enable kpasswd and add the associated libs (if there are any?  I think
> there are some you need...) in the compile for the Debian OpenLDAP
> packages.  I realize the security implications and, as you mentioned,
> pointed them out previously.

I guess this is possible using saslauthd. I never use it, since I have slapd
handling SASL's backend. For saslauthd it actually uses the Kerberos
libraries directly, not via GSSAPI. Loking at the code, I just noticed
there's a major problem with using {SASL}; while it will allow simple binds
to succeed, it will throw SASL binds into an infinite loop. (I suppose we
should add a check to prevent this loop, but you're still left with the
problem of finding a valid password to check.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support