[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos

Wouter van Marle wrote:
On Wed, 2010-09-08 at 21:34 -0500, Dan White wrote:
On 09/09/10 10:21 +0800, Wouter van Marle wrote:
That requires pass-through authentication.

I see.
Well with the above instructions nothing seems to have changed.
I have restarted saslauthd and slapd after making the changes, and when
now accessing the ldap addressbook using Evolution, I still have to use
the ldap stored password, not the krb password.


To be a little more explicit, to enable pass-through authentication, you
will need to replace the password (userPassword attribute) with:

userPassword: {SASL}username@realm

When I got it working I am considering to write some tutorial - maybe
useful. I haven't been able to find anything like it on the internet.
The above I have never seen; just once a suggestion to change the
password to {KERBEROS}username but well that also didn't work :)

It's much harder to get working than I ever expected, really. And even
more so I'm surprised that openldap doesn't support this "out of the
box", or with some minor settings.

It is not supported out of the box because it's generally the wrong thing to do. It is intentionally undocumented, to discourage people from pursuing this misguided course. Use GSSAPI.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/