[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: krb5PrincipalName and userPassword

To: openldap-software@openldap.org
Subject: Re: krb5PrincipalName and userPassword
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Mon, 10 Sep 2007 16:00:46 +0200
Cc: Turbo Fredriksson <turbo@bayour.com>
Content-disposition: inline
In-reply-to: <87d4wtowbq.fsf@pumba.bayour.com>
References: <87ps0upkjq.fsf@pumba.bayour.com> <46E1C4B0.1000904@sys-net.it> <87d4wtowbq.fsf@pumba.bayour.com>
User-agent: KMail/1.9.6

On Saturday 08 September 2007 20:18:01 Turbo Fredriksson wrote:
> Quoting Pierangelo Masarati <ando@sys-net.it>:
> > that slapo-ppolicy(5) enforces a single value for the
> > password attribute, even though such constraint is not present in the
> > specification of userPassword.
>
> That was not the issue, the issue was that I was authenticated with my
> SASL (Krb5 key) _even though I did not have {SASL} in userPassword_.

No, you were *authorized* by your sasl-regexp. You were *authenticated* by 
your Kerberos server.

With GSSAPI, the LDAP server doesn't do authentication.

As such, the LDAP server wasn't even consulted about whether it knows anything 
about your account, only that it should map your SASL identity to a DN (that 
need not exist in the directory).

Regards,
Buchan

Follow-Ups:
- Re: krb5PrincipalName and userPassword
  - From: Turbo Fredriksson <turbo@bayour.com>

References:
- krb5PrincipalName and userPassword
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: krb5PrincipalName and userPassword
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: krb5PrincipalName and userPassword
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: Re: SASL/OTP authentication started
Next by Date: Re: dn aliases?
Index(es):
- Chronological
- Thread