[Date Prev][Date Next] [Chronological] [Thread] [Top]

Kerberos and simple binds using same password database?

I've managed to configure slapd to use Kerberos for authentication (using SASL/GSSAPI). This works great if user holds a valid ticket, and if (s)he is using Kerberos aware client such as ldapsearch.

However, if user isn't using Kerberos aware client, (s)he will be authenticated using the password stored in userPassword attribute (using passwords instead of Kerberos tickets is OK in my case, as long as connection is over TLS).

Now, the question. Is it possible to configure slapd not to use userPassword attribute in this case, but rather attempt to check user's password against Kerberos? Something "saslauthd -a kerberos5" is doing. Or (more general) to use saslauthd to perform password checking (which can check it against Kerberos database).

I guess for this to work, an opposite of sasl-regexp option would need to exist (to map LDAP entity to Kerberos user@realm type of entity), but I couldn't find anything like that. Which makes me to believe it might not be possible to do.

By searching around I found some questions/answers about using LDAP as store for Kerberos. While implementing something like that (if possible) might solve a problem of having slapd and Kerberos use same passwords, in this case I can't take that route. Kerberos realms (plural) that users are in are part of several Active Directory domains, so technically, passwords are already stored in AD's LDAP database and they need to stay there.

Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7