[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPv3 a nightmare

--On Wednesday, February 25, 2004 3:25 PM -0600 Eric G Ortego <eric@tonychachere.com> wrote:

I think I would like to use openldap, but
After a couple of weeks of reading up on it and trying to get a directory
"working" I have come to the conclusion that cyrus-sasl sucks.
Even worse seems [its|my] attempt to use kerberosv5 and function.
Mabe I am the fool and simply cannot get these three to play together
nicely but, holy shit how convoluted is this whole LDAPv3?!

Not very, it works quite easily for me...

Do I need a ldap directory working to get sasl binds tested or working?

SASL binds to the directory yes.. how else would you test binds to the directory? Working SASL configuration, no -- cyrus-sasl comes with a test server & client you can use.

Do I also need a user in LDAP and sasldb?

Yes, no.

Do I need plain passwords in the ldap directory (do I even have users in

Not if you are using kerberos correctly.

Do I need a kerberos kdc working to test if sasl [can|might] work with
ldap kerberos binds?

Yes, you must have a kerberos KDC. How else can you get a kerberos ticket?

How the hell asupposedosed to get a client , say mozilla, to bind to ldap
with [kerberos tickets | sasldb username | a username] anyway?

You can't, none of them understand the concept of security.

And why does sasl use pam?

It doesn't.

I don't see how it all ties together.


kerberos has a db, ldap has a db, sasl has a db, and they all seem to
interoperate in some twisted formula called LDAPv3.

No, you are completely and utterly lost.

Kerberos has a database (KDC). LDAP has a database. SASL can have a database if it is needed, but at least in our case, it isn't needed at all (nor is it needed in the scenario you are listing).

I thought the idea of a directory was to consolidate information in a
central location not smear user:pw databases all over!

It depends on the data you want to consolidate. Some Kerberos implementations (like Heimdal) can have a KDC in the LDAP directory.

Seems to me that sasl is pretty useful if you like beating your face in
with a maul laced in glass shards. Querying an openldap directory sounds
almost as safe.
And if kerberosV5 is soo freakin badass then why the hell don't many
applications make use of it?
Does everything still use bind v2 or am I just on the ldap bind v2 side
of the internet?

I think you are seriously lost and confused, and need to spend some time learning what Kerberos is, and how it works. Then you need to learn what Directory services are, and how they work. And then maybe you'll understand the problems you are hitting.


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html