[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL pass-through autentication with a ldap-backend KDC

Guillaume Rousse a écrit :
Howard Chu a écrit :
Guillaume Rousse wrote:
Hello list.

Reading http://www.openldap.org/doc/admin24/security.html#SASL password
storage scheme, I understand autentication can be delegated to an
external mechanisme. Such as, for instance, a kerberos server. In this
case, it is advised to prevent changing passwords in the directory.

That part of the doc appears to be wrong. slapd will call SASL's setpass function to change a SASL password, so there's no reason to prevent changing passwords via LDAP.
I guess it is just a phrasing issue, and the doc means 'take care users don't inadvertly rewrite their password attribute with a true password instead of keeping this pointer'.
Sorry, I just reread it, it's explicitely stated than slapd doesn't allow to change password at all. You were right.

Second, {SMBKRB5} is an optimisation only possible with smbkrb5 overlay, whereas {SASL} is more generical, but also more expensives, as external calls are needed.
And from my own tests this morning: {SASL} is a bit more complex to setup, but doesn't suffer from the few glitches than {K5KEY} does (See just reported ITS #5766 and #5767)

Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62