[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl and clients that do not support it



Thomas Bolioli wrote:

I would like to use sasl to connect my clients to ldap via krb5. However, some clients do not support sasl. Can I do some sort of pass through of supplied plain text credentials to the kdc to authenticate? If so, can someone point me in the right direction?
Thanks,
Tom


Yes, but if you're not also using SSL/TLS then your Kerberos passwords will be exposed on the network, thus destroying the security of your Kerberos deployment. In general setting this up is a bad idea.

You must
1) include '--enable-spasswd' when configuring OpenLDAP
2) set the users' userPassword attribute in LDAP to "{SASL}<kerberos username>"
3) configure saslauthd to perform kerberos authentication
4) configure slapd to use saslauthd for SASL password verification


See the SASL documentation if you need more help.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support