[Date Prev][Date Next] [Chronological] [Thread] [Top]

Kerberos+Ldap /etc/passwd


I have set up the following configuration in a test environment.
Please, take a look at the questions at the end of the description of my environment.
The first machine is a KDC (MIT) and it has also the openldap server.
This ldap implementation is only acting as a /etc/passwd and /etc/group files without password.

Here are some info about the open ldap server

Version: openldap-2.2.23

ldapsearch -h localhost -p 389 -x -b "" -s base -LLL supportedSASLMechanisms
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: OTP
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5


include /usr/local/openldap-2.2.23/etc/openldap/schema/core.schema
include /usr/local/openldap-2.2.23/etc/openldap/schema/cosine.schema
include /usr/local/openldap-2.2.23/etc/openldap/schema/nis.schema
include /usr/local/openldap-2.2.23/etc/openldap/schema/inetorgperson.schema


dn: uid=testePass,ou=People,dc=example,dc=com
uid: testePass
cn: testePass
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 506
gidNumber: 506
homeDirectory: /home/testePass

Having this said here are my questions:

1- Considering that my internal network is safe should I configure SASL binds instead of simple binds?
2- Also, If I use a SASL bind do I need to have a userpassword: {SASL} field on each user entry in the ldap database? I have several posts in this list but could not extract this inofrmation.
3- Also, in my current configuration when I insert my kerberos password is it sent to the ldap server?

Thank you for your time (I am sorry for the long email).


Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/