[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos and simple binds using same password database?

Turbo Fredriksson wrote:
"Aleksandar" == Aleksandar Milivojevic <amilivojevic@pbl.ca> writes:

    Aleksandar> Now, the question.  Is it possible to configure slapd
    Aleksandar> not to use userPassword attribute in this case, but
    Aleksandar> rather attempt to check user's password against
    Aleksandar> Kerberos?  Something "saslauthd -a kerberos5" is
    Aleksandar> doing. Or (more general) to use saslauthd to perform
    Aleksandar> password checking (which can check it against Kerberos
    Aleksandar> database).

Eh, ?

userPassword: {SASL}turbo@REALM.TLD

That makes "whatever program" to check against Kerberos, via

Hmmm... I was very happy when I read this, because this was exactly what I needed. However, when I attempted to set userPassword attribute as you suggested to {SASL}username@REALM and than to bind with ldapsearch -x -D 'uid=...,ou=...,dc=foobar,dc=com' -W and so on, I got "ldap_bind: Invalid credentials (49)" error. Running tcpdump showed no traffic between slapd and Kerberos KDC. Meaning slapd hasn't attempted to verify password on Kerberos server.

    Aleksandar> I guess for this to work, an opposite of sasl-regexp
    Aleksandar> option would need to exist (to map LDAP entity to
    Aleksandar> Kerberos user@realm type of entity), but I couldn't
    Aleksandar> find anything like that.  Which makes me to believe it
    Aleksandar> might not be possible to do.

# Regexp for SASL authentication:

Extreamly simple (I have more for other needs), but works for me...

I've attempted to use that, chaning domain.tld and REALM.TLD to match what I have. I understand what basic form of sasl-regexp does, but not really what the above sasl-regexp will do (haven't found any usable docs, yet, still looking). Haven't really made any difference with or without it in my slapd.conf. Same authentication errors...

Should I use that sasl-regex in combination with that userPassword thingie you wrote about in your previous mail, or?

    Aleksandar> Kerberos realms (plural) that users are in are part of
    Aleksandar> several Active Directory domains, so technically,
    Aleksandar> passwords are already stored in AD's LDAP database and
    Aleksandar> they need to stay there.

Oh, plural... That changes things. I don't know if there is a 'toupper()'
thingie for REGEXP, but if you can find one (I really suck at REGEXP :) you could use 'cn=(.*)' instead of 'cn=domain.tld' and then use
something like '$1@toupper($2)' in your REGEXP (NOTE: This don't obviosly
work - it's just an illustration!!!).

A quick thinking through this while I checked the mail for obvious errors
'reviled' my own thought - "I have more for other needs"!

Just stack them, one for each realm... Not very easy if you add/remove
realms all the time, but...

You are saying here that I can have multiple sasl-regexp lines, and first that match will be applied, or? If yes, than this could work for me, as realms I have are not likely to change in the near future.

Have a look at http://www.bayour.com/LDAPv3-HOWTO.html, there should be
SOMETHING for you...

Actually, I had a look there. Google already found it for me ;-)

Off topic, formatting on the page is not right when viewing it with Mozilla Firefox (on Fedora Core 3). Not sure if it is something you have in the HTML/CSS, or bug in Firefox rendering, but some small parts of text are not readable at all (overlapping text), and some formatting looks a bit odd (but perfectly readable, and folks with poor sight might even appriciate it ;-) ), as if font style that was supposed to be applied to "I've decided to sell the book as is" box, was applied to the rest of the document.

Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7