Re: Newbie gets reamed by openldap, kerberos, and sasl... please help.

[Dieter Kluenter <dieter@dkluenter.de>]

Hi,

Hua Ying Ling <hyling-f1@nc.rr.com> writes:

> So it seemed like a simple task... use openldap without anonymous bind
> and verify the username and password sent in the clear to slapd using
> kerberos5. Before you jump on us we are adding SSL after we get it
> working).  We have RFM. FMini-How-To, etc.,and spent 3 weeks on this
> problem with no luck.   We have attempted this on Solaris 8 and MacOS
> X 10.2 with the same result.

[...]
> So two things we can do:
> a)  when we allow anonymous bind
> /usr/local/bin/ldapsearch -x -b 'dc=ncsu,dc=edu' '(objectclass=*)' works
>
> b) If we disallow    bind_anon and
> /usr/local/bin/ldapsearch -I -b 'dc=ncsu,dc=edu' '(objectclass=*)'
> we get prompted for our kerberos userid (GSSAPI from sasl libs) and
> password and get ldap service tickets and are able to get the same
> results as with anonymous bind allowed ie it works.
>
> Great but we have to allow a client (the ldap V3 plug-in in MacOS X
> directory Services) which can not use the GSSAPI or any SASL bind
> mechanism.  In other words we need to do a simple bind with a password
> checked against. kerberos V.  Various documentation leads us to
> believe we need saslauthd for this but we can never seem to make
> openldap use saslauthd.

You could use X.509 certificates and TLS, while access rules could be
based on tls security strength factor (tls_ssf).

-Dieter

-- 
Dieter Kluenter  | Systemberatung
Tel:040.64861967 | Fax: 040.64891521
mailto: dkluenter(at)dkluenter.de
http://www.avci.de