[Date Prev][Date Next]
Kerberos and simple binds using same password database?
- To: OpenLDAP Software <openldap-software@OpenLDAP.org>
- Subject: Kerberos and simple binds using same password database?
- From: Aleksandar Milivojevic <email@example.com>
- Date: Tue, 28 Dec 2004 10:29:16 -0600
- User-agent: Mozilla Thunderbird 0.8 (X11/20041020)
I've managed to configure slapd to use Kerberos for authentication
(using SASL/GSSAPI). This works great if user holds a valid ticket, and
if (s)he is using Kerberos aware client such as ldapsearch.
However, if user isn't using Kerberos aware client, (s)he will be
authenticated using the password stored in userPassword attribute (using
passwords instead of Kerberos tickets is OK in my case, as long as
connection is over TLS).
Now, the question. Is it possible to configure slapd not to use
userPassword attribute in this case, but rather attempt to check user's
password against Kerberos? Something "saslauthd -a kerberos5" is doing.
Or (more general) to use saslauthd to perform password checking (which
can check it against Kerberos database).
I guess for this to work, an opposite of sasl-regexp option would need
to exist (to map LDAP entity to Kerberos user@realm type of entity), but
I couldn't find anything like that. Which makes me to believe it might
not be possible to do.
By searching around I found some questions/answers about using LDAP as
store for Kerberos. While implementing something like that (if
possible) might solve a problem of having slapd and Kerberos use same
passwords, in this case I can't take that route. Kerberos realms
(plural) that users are in are part of several Active Directory domains,
so technically, passwords are already stored in AD's LDAP database and
they need to stay there.
Aleksandar Milivojevic <firstname.lastname@example.org> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7