[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl and clients that do not support it

Howard Chu wrote:

> Thomas Bolioli wrote:
>> I would like to use sasl to connect my clients to ldap via krb5. 
>> However, some clients do not support sasl. Can I do some sort of pass 
>> through of supplied plain text credentials to the kdc to 
>> authenticate? If so, can someone point me in the right direction?
>> Thanks,
>> Tom
> Yes, but if you're not also using SSL/TLS then your Kerberos passwords 
> will be exposed on the network, thus destroying the security of your 
> Kerberos deployment. In general setting this up is a bad idea.
> You must
>    1) include '--enable-spasswd' when configuring OpenLDAP
>    2) set the users' userPassword attribute in LDAP to 
> "{SASL}<kerberos username>"
>    3) configure saslauthd to perform kerberos authentication
>    4) configure slapd to use saslauthd for SASL password verification
> See the SASL documentation if you need more help.
Is that "{SASL}username@REALM.COM"?
PS: I plan on using ssl, just as soon as I get it working but I need the
ldap server working so I can bring up cyrus.