[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How does Openldap work with Cyrus SASL and MIT Kerberos V

On Tue, 2008-07-01 at 08:41 +0700, Le Trung Kien wrote:
> As you know, on each client machine, I type "setup" and go in
> "Authentication Configuration" then fill up information about kerberos
> and ldap server.
> And so, my users could login our Kerberos&LDAP system.
> after login, users must get ticket to use ldap services by emit
> command : "kinit" then type their kerberos password. After get their
> tickets, they can use ldap services.
> I have tested this with "ldapwhoami" and get the proper user
> information (which belongs to ldap).
> And I have only password on Kerberos for each user.
> If I were wrong, please show me :)
> Could you explain to me how SASL gets involved in this ?

OpenLDAP does not use Kerberos directly, instead it uses SASL. If your
LDAP server has a Kerberos service principal, and has the SASL GSSAPI
plugin installed and enabled, then the OpenLDAP client utilities will
try appropriate SASL mechanisms (if the user has a ticket).

So, you are using SASL to authenticate via Kerberos your users when
accessing the LDAP service.