[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos



On 09/09/10 19:41 +0200, Dieter Kluenter wrote:
Wouter van Marle <wouter@squirrel-systems.com> writes:

On 9 Sep 10, at 21:47, Dan White wrote:

On 09/09/10 12:47 +0800, Wouter van Marle wrote:
[...]
Most important difference is that pam is not mentioned here. But then
from other mails I understand that slapd only wants to use saslauthd
and not pam.

[...]

No, slapd doesn't want saslauthd, nor pam, it is just a hack. Please
do not use saslauthd authentication agent in a kerberized
environment. Make use of proper nativ sasl mechanism.

Why has it been said that this is unsupported or a hack. Pass-through
authentication is clearly documented in the Administrator's Guide (Section
14.5). Is it not supported?

The fact that GSSAPI/Kerberos5 is involved in not really relevant.
Even though he has successfully performed a GSSAPI bind to the server,
that doesn't have anything to do with the fact that he's wanting to
perform pass-through authentication to libsasl.

If the response is "Your slapd server is configured properly for
pass-through authentication. You're on the wrong list, go away", that's
perfectly understandable.  There's no reason I've seen that this should not
work.

People will find solutions to solve their problems, even if said solution
is not ideal. Just because it's not your ideal does not suggest it's a
horrible ugly hack. Finding a solution for Evolution that does not
involve a patch against X client systems is going to be a far smaller hack.

--
Dan White