[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos and simple binds using same password database?



>>>>> "Aleksandar" == Aleksandar Milivojevic <amilivojevic@pbl.ca> writes:

    Aleksandar> Now, the question.  Is it possible to configure slapd
    Aleksandar> not to use userPassword attribute in this case, but
    Aleksandar> rather attempt to check user's password against
    Aleksandar> Kerberos?  Something "saslauthd -a kerberos5" is
    Aleksandar> doing. Or (more general) to use saslauthd to perform
    Aleksandar> password checking (which can check it against Kerberos
    Aleksandar> database).

Eh, ?

userPassword: {SASL}turbo@REALM.TLD

That makes "whatever program" to check against Kerberos, via
LDAP->SASL->Kerberos.

    Aleksandar> I guess for this to work, an opposite of sasl-regexp
    Aleksandar> option would need to exist (to map LDAP entity to
    Aleksandar> Kerberos user@realm type of entity), but I couldn't
    Aleksandar> find anything like that.  Which makes me to believe it
    Aleksandar> might not be possible to do.

# Regexp for SASL authentication:
sasl-regexp
        uid=(.*),cn=domain.tld,cn=gssapi,cn=auth
        ldap:///c=SE??sub?(krb5PrincipalName=$1@REALM.TLD)

Extreamly simple (I have more for other needs), but works for me...


    Aleksandar> Kerberos realms (plural) that users are in are part of
    Aleksandar> several Active Directory domains, so technically,
    Aleksandar> passwords are already stored in AD's LDAP database and
    Aleksandar> they need to stay there.

Oh, plural... That changes things. I don't know if there is a 'toupper()'
thingie for REGEXP, but if you can find one (I really suck at REGEXP :) 
you could use 'cn=(.*)' instead of 'cn=domain.tld' and then use
something like '$1@toupper($2)' in your REGEXP (NOTE: This don't obviosly
work - it's just an illustration!!!).


A quick thinking through this while I checked the mail for obvious errors
'reviled' my own thought - "I have more for other needs"!

Just stack them, one for each realm... Not very easy if you add/remove
realms all the time, but...


Have a look at http://www.bayour.com/LDAPv3-HOWTO.html, there should be
SOMETHING for you...