[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ldap kerberos ticket - GSSAPI

From: pkoelle <pkoelle@gmail.com>
To: Manel Euro <euro_32@hotmail.com>
CC: openldap-software@OpenLDAP.org
Subject: Re: Ldap kerberos ticket - GSSAPI
Date: Wed, 30 Mar 2005 11:28:29 +0200

Manel Euro wrote:
1st- SASL/gssapi
2nd- pass throught authentication - userPASSWORD: {sasl}user@REALM-COM and saslauthd

I am using the first one. So, in this method when the kerberos ticket is presented to the slapd, slapd maps this kerberos principal to the *corresponding* directory DN. On this case, the principal testePac@EXAMPLE.NET does not have an entry on the directory. Therefore, according to what I have understood, this user shout not get a Kerberos TGS to LDAP.
No, the KDC issuing tickets has no idea about what's in your directory. Kerberos is just a means to prove identity to the DSA, not authorization.

Thank you all for your answers.

Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/