[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: MIT Kerberos5+ SASL+ OpenLdap

Kurt D. Zeilenga wrote:
> Since credentials for GSSAPI-based Kerberos authentication
> is managed by the GSSAPI implementation (in Cyrus SASL),
> it is irrelevant to slapd(8) as to what user information you
> have placed in the directory.  (Now, your KDC might be
> directory enabled, and hence have its own user information
> requirements, but these are not slapd(8)-specific
> requirements.)
>>In my current configuration I don't have a userPassword field.
>>I believe that cyrus-sasl (gssapi) gets the information from my ticket and converts it to my dn. So, this way, I don't need to have a userPassword field.
> Correct.

For the sake of completeness (if there is any)...

However, if you are planning to do simple binds against your DSA (LDAP)
and use the kerberos passwort for these, you have to add the
userPassword: {SASL}USER@REALM field and configure SASL to use saslauthd
to use kerberos to authenticate simple binds to ldap
(/etc/sasl2/slapd.conf, gentoo) YMMV. Please note that in this case the
kerberos password is sent in cleartext to the DSA, so SSL/TLS is hightly