[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos userpassword storage



2010-08-04 10:30 keltezéssel, Howard Chu írta:
> Indexer wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Hi,
>>
>> Im attempting to use Kerberos as a password storage backend in my
>> ldap server.
>>
>> I have the server setup with its own principal of the form
>> ldap/domainname@REALM , and this keytab is in the KRB5_KTNAME
>> environment variable as slapd starts.
>>
>> I have put olcSaslRealm=REALM and olcSaslHost=kdc.domain into my
>> cn=config.
>>
>> Then, i have uid=user, where the userPassword attribute is
>> {KERBEROS}user@REALM
>
> Who told you to do that? There is no such password scheme in any
> OpenLDAP documentation.
>
>> When attempting to bind to this user, it seems to fail. When i reset
>> the password to a standard SSHA hash, it authenticates correctly. I
>> can authenticate with kerberos to the host that the ldap enabled
>> client, but i just cannot use ldap with the kerberos password backend.
>>
>> Any help in solving what else i need to do in this would be greatly
>> appreciated
>>
>> William Brown
>>
>> pgp.mit.edu
>
What about:
setting up saslauthd to authenticate against kerberos (e.g. command line
options -a kerberos5 -c -m /var/run/saslauthd)
and then slapd to use that (e.g. in /etc/ldap/sasl2/slapd.conf something
like:
pwcheck_method:    saslauthd
saslauthd_path:    /var/run/saslauthd/mux
), then specify the userPassword attribute as {SASL}user@REALM
?

Cheers

Geza Gemes