[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos and simple binds using same password database?

To: openldap-software@OpenLDAP.org
Subject: Re: Kerberos and simple binds using same password database?
From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
Date: Wed, 29 Dec 2004 12:21:56 -0600
In-reply-to: <41D2E15C.2060809@pbl.ca>
References: <41D189DC.4030309@pbl.ca> <87k6r2xc3o.fsf@pumba.bayour.com> <41D2E15C.2060809@pbl.ca>
User-agent: Mozilla Thunderbird 0.8 (X11/20041020)

Aleksandar Milivojevic wrote:

Turbo Fredriksson wrote:


userPassword: {SASL}turbo@REALM.TLD

That makes "whatever program" to check against Kerberos, via
LDAP->SASL->Kerberos.


[ snip ]

# Regexp for SASL authentication:
sasl-regexp
        uid=(.*),cn=domain.tld,cn=gssapi,cn=auth
        ldap:///c=SE??sub?(krb5PrincipalName=$1@REALM.TLD)
Extreamly simple (I have more for other needs), but works for me...
I've attempted to use that, chaning domain.tld and REALM.TLD to match what I have. I understand what basic form of sasl-regexp does, but not really what the above sasl-regexp will do (haven't found any usable docs, yet, still looking). Haven't really made any difference with or without it in my slapd.conf. Same authentication errors...

Should I use that sasl-regex in combination with that userPassword thingie you wrote about in your previous mail, or?


Ah, of course.  It was all in the man page ;-)

Reading and understaning sometimes makes things work ;-)

So, to summarize, what I have for now is:

Among user's attributes (I was missing krb5PrincipalName that search in sasl-regexp looks for):

userPassword: {SASL}username@EXAMPLE.COM
krb5PrincipalName: username@EXAMPLE.COM

In slapd.conf (for each realm):

sasl-regex
uid=(.*),cn=example.com,cn=gssapi,cn=auth
ldap:///ou=accts,dc=example,dc=com??sub(krb5PrincipalName=$1@EXAMPLE.COM)

Also, I created /usr/lib/sasl2/slapd.conf (this one is needed too):

pwcheck_method: saslauthd

I've checked it with single realm (AD domain), and it works. Well, as long as saslauthd has access to valid host ticket. Left is to test with multiple realms (will have to wait until after new year).

One more question. I got this to work for "ldapsearch -x", so no SASL on client side. If I do just "ldapsearch" (with SASL), it doesn't work. Not even for PLAIN/LOGIN method (I kind of expected it won't work for DIGEST-MD5, since slapd doesn't have access to cleartext password). Any way around it, or is it simple the way things are?

--
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Follow-Ups:
- Re: Kerberos and simple binds using same password database?
  - From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
- Re: Kerberos and simple binds using same password database?
  - From: Turbo Fredriksson <turbo@bayour.com>

References:
- Kerberos and simple binds using same password database?
  - From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
- Re: Kerberos and simple binds using same password database?
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: Kerberos and simple binds using same password database?
  - From: Aleksandar Milivojevic <amilivojevic@pbl.ca>

Prev by Date: Re: Kerberos and simple binds using same password database?
Next by Date: Re: Kerberos and simple binds using same password database?
Index(es):
- Chronological
- Thread