[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos and simple binds using same password database?

Turbo Fredriksson wrote:
Among user's attributes (I was missing krb5PrincipalName that search
in sasl-regexp looks for):

userPassword: {SASL}username@EXAMPLE.COM
krb5PrincipalName: username@EXAMPLE.COM

Well, this was my initial design 'a long time ago' when slapd wasn't as
evolved as it is now (and sasl-regexp didn't exists). But, from the top
of my head, you SHOULD be able to do without the 'krb5PrincipalName'
and it's object class...

I came to same conclusion later in a day (after some thinking and experimenting).

Something like this should do it (also look at the rest of the thread -
the sasl-regexp is case insensitive):


This will support your multiple realms (as long as domain and realm

Hm, no it wouldn't - unless you find a way to extract 'example' and 'com'
as two separate entities (for use instead of 'dc=example,dc=com'). I
know it's possible to do this (I've seen it done), but I have no
idea how to do it...

It would work for me, since my LDAP directory organization doesn't need to match AD domain organization. All I need is a way to match LDAP DN to Kerberos principal for password checking, and "userPassword: {SASL}user@REALM" will do exactly that. However, in case where they do match, something like this should work (I haven't tested it, but this is valid regexp):


(above assumes you make sure there's no ',' chars in uid and cn attributes).

The above is from the head, it might contain typos, however it demonstrates the general idea.

It will match 2 level domain name only (example.com). You can add more of them for 3, 4, or more level domains in any order you wish (only one will match).

Of course, one can always go the easy route and match the uid to uid ;-)

Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7