[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: krb5PrincipalName and userPassword

On Saturday 08 September 2007 20:18:01 Turbo Fredriksson wrote:
> Quoting Pierangelo Masarati <ando@sys-net.it>:
> > that slapo-ppolicy(5) enforces a single value for the
> > password attribute, even though such constraint is not present in the
> > specification of userPassword.
> That was not the issue, the issue was that I was authenticated with my
> SASL (Krb5 key) _even though I did not have {SASL} in userPassword_.

No, you were *authorized* by your sasl-regexp. You were *authenticated* by 
your Kerberos server.

With GSSAPI, the LDAP server doesn't do authentication.

As such, the LDAP server wasn't even consulted about whether it knows anything 
about your account, only that it should map your SASL identity to a DN (that 
need not exist in the directory).