[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SASL pass-through autentication with a ldap-backend KDC

To: Howard Chu <hyc@symas.com>
Subject: Re: SASL pass-through autentication with a ldap-backend KDC
From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
Date: Thu, 23 Oct 2008 14:00:57 +0200
Cc: openldap-software@openldap.org
In-reply-to: <48FF0D70.2060106@symas.com>
References: <48FDB576.4010103@inria.fr> <48FE34D7.2090701@symas.com> <48FE4C38.4080707@inria.fr> <48FF0611.8090106@inria.fr> <48FF0D70.2060106@symas.com>
User-agent: Thunderbird 2.0.0.17 (X11/20080929)

Howard Chu a écrit :

Guillaume Rousse wrote:
Guillaume Rousse a écrit :
Howard Chu a écrit :
Guillaume Rousse wrote:
Hello list.
Reading http://www.openldap.org/doc/admin24/security.html#SASL password storage scheme, I understand autentication can be delegated to an external mechanisme. Such as, for instance, a kerberos server. In this case, it is advised to prevent changing passwords in the directory.
That part of the doc appears to be wrong. slapd will call SASL's
setpass function to change a SASL password, so there's no reason to
prevent changing passwords via LDAP.
I guess it is just a phrasing issue, and the doc means 'take care users
don't inadvertly rewrite their password attribute with a true password
instead of keeping this pointer'.
Sorry, I just reread it, it's explicitely stated than slapd doesn't
allow to change password at all. You were right.
We'll have to update that part of the Guide, there are very specific restrictions on this feature: The sasl_setpass call only works if the LDAP session was authenticated using SASL, and only if you're changing your own password. Otherwise it will fail. As such, e.g. a sysadmin cannot reset the password of some other SASL user via LDAP...

While on the documentation subject: it could be worth explaining, than despite SASL autentication of LDAP session being a different thing, the file /path/to/sasl/config.slapd.conf is used by all kind of SASL/slapd interaction. And if you use the one given in example, with only 'plain' mechanism, you'll break GSSAPI support (needed for those sessions), and also EXTERNAL support (needed for heimdal, for instance).

Second, {SMBKRB5} is an optimisation only possible with smbkrb5 overlay,
whereas {SASL} is more generical, but also more expensives, as external
calls are needed.

And from my own tests this morning: {SASL} is a bit more complex to
setup, but  doesn't suffer from the few glitches than {K5KEY} does (See
just reported ITS #5766 and #5767)

Thanks for the reports. Will look into them later this week.

Thanks. If you could also deal with #5535 at the same time, it would be wonderful :) -- Guillaume Rousse Moyens Informatiques - INRIA Futurs Tel: 01 69 35 69 62

References:
- SASL pass-through autentication with a ldap-backend KDC
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
- Re: SASL pass-through autentication with a ldap-backend KDC
  - From: Howard Chu <hyc@symas.com>
- Re: SASL pass-through autentication with a ldap-backend KDC
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
- Re: SASL pass-through autentication with a ldap-backend KDC
  - From: Guillaume Rousse <Guillaume.Rousse@inria.fr>
- Re: SASL pass-through autentication with a ldap-backend KDC
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: OpenLDAP 2.4 syncrepl - Size limit exceeded error in consumer end
Next by Date: Re: openLDAP paged response problem
Index(es):
- Chronological
- Thread