[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Mapping userPassword to Kerberos 5



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Stephen Frost

> * Turbo Fredriksson (turbo@bayour.com) wrote:
> > Quoting Stephen Frost <sfrost@snowman.net>:
> > > > This is to enable simple binds (ie '-x -D .. -W') and
> is not necessary
> > > > for GSSAPI binds. To get this part working, I think one
> have to compile
> > > > with '--enable-kpasswd'...
> > >
> > > It might be enough to compile with --enable-spasswd
> (SASL) and to then
> > > use {SASL} in the userPassword.  I'd like to know if this
> actually works
> > > or not...
> >
> > Any idea how to use it? Is this to 'map' users to the
> /etc/sasldb file?
>
> I'm not sure if it's for sasldb or if it'll work for any SASL
> mechanism.
> If it will work for any SASL mechanism then it should be able to work
> for Kerberos via the GSSAPI.  I'd expect it'd be basically the same as
> the 'SASL username:' currently used.  I'm not sure how to
> specify which
> SASL mechanism for it to use though.
>
You set the userPassword to {SASL}saslusername[@realm]. It uses whatever
mechanism is backending the SASL pwcheck_method. This can be auxprop,
saslauthd, or pwcheck, depending on how your SASL was compiled and
configured. Where to go from there is best answered by the SASL
documentation. If you want to use sasldb, then you should have auxprop
configured. If you want Kerberos or something else, look at the saslauthd
manpage.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support