[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos

On 09/09/10 10:21 +0800, Wouter van Marle wrote:
That requires pass-through authentication.

I see.
Well with the above instructions nothing seems to have changed.
I have restarted saslauthd and slapd after making the changes, and when
now accessing the ldap addressbook using Evolution, I still have to use
the ldap stored password, not the krb password.


To be a little more explicit, to enable pass-through authentication, you
will need to replace the password (userPassword attribute) with:

userPassword: {SASL}username@realm

for instance:

dn: uid=jsmith,dc=example,dc=com
userPassword: {SASL}jsmith

In this case, the user will have no valid password defined in LDAP (or at
least not in the userPassword attribute).

When attempting to perform a non-sasl bind, slapd will use saslauthd to
authenticate, by taking the username (from the userPassword field), and the
password that was submitted.

Dan White