[Date Prev][Date Next] [Chronological] [Thread] [Top]

Kerberos and DIGEST-MD5

Hi there,

I've been searching the web and the mailing list for a solution to this but haven't been able to find an answer. Sorry if this has been answered before...

I have managed to install an authentication server using mit-krb5 1.3.3, cyrus-sasl 2.1.18 and openldap 2.1.26. Right now I'm able to authenticate any user on my network using pam/nss accessing Kerberos and OpenLDAP, so in order for an user to login she must have a corresponding Kerberos principal and a LDAP entry with objectClass=posixAccount (among others). I'm also able to authenticate to LDAP using GSSAPI/Kerberos, and simple BIND using {SASL}user@REALM in the userPassword attribute (as it seems that the {KERBEROS} way is deprecated) checking the password against saslauthd/Kerberos database.

So what's the problem? It seems that to build a LDAPv3 compliant server I must provide DIGEST-MD5 authentication to the LDAP server, and this is what I don't know how to achieve in a clean manner. In order to have DIGEST-MD5 working I must have a clear text password stored somewhere (correct me if I'm wrong), but it seems that Kerberos doesn't have it, or I don't know how to use it in the DIGEST-MD5 authentication process. It seems that Cyrus SASL *does need* this password stored in its sasldb2 database to be able to successfully offer DIGEST-MD5, but this would mean that I'd have duplicated information and I'd have to sync both databases (Kerberos and SASL) whenever a password change occurs. So, am I missing anything here? Is there any clean solution for this?

   Thanks in advance, best regards