[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP to Kerberos, Take 2



Earlier I asked a few questions about OpenLDAP authenticating via Kerberos.  I'm going to back up a bit and ask a more general question to ensure I have an adequate understanding to go further into the details of a solution.

On a Kerberos list I was asking for a little bit of help, and the answer I got revealed that maybe I don't understand as much about OpenLDAP's interaction with Kerberos as I'd thought. 

In general, I am trying to authenticate a login and password received via an OpenLDAP client (in this case SMB via the smbldap-tools) with the logins and passwords held in a Kerberos server elsewhere.  Is this a legitimate use of these services?  Am I thinking about this wrong?  If so, what else do I need to know?

I thought it was possible that I could have an ldap-bind request referred via SASL/GSSAPI to do a Kerberos authentication. 

But on the Kerberos list, here's the response I got.
A KDC does not speak GSSAPI nor SASL.  A KDC issues tickets.  You use 
SASL-GSSAPI-KRB5 when you want to establish an authenticated connection 
to an application service for which a service principal exists within 
the KDC database.  The KDC is not an application service.

As Jeff pointed out, [you can't do that] with GSSAPI. What you might be 
looking for is slapd code to take a username and password and do in effect 
a kinit and a verify tgt, or have a sasl plugin do it for your. I don't know
of one.
And on this OpenLDAP list I got:
There is an ugly hack: having a userPassword field with "{SASL}<Kerberos 
principal>" in LDAP you can employ saslauthd's Kerberos backend. We use 
it as a crutch for a web application which can only authenticate against 
an LDAP directory
Perhaps you can help me understand or reconcile these responses. 

Thanks.

Wes



Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208