[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos with LDAP backend: password sync



--On Friday, July 22, 2011 9:03 PM +0300 Nick Milas <nick@eurobjects.com> wrote:

On 21/7/2011 10:23 ÎÎ, Dan White wrote:

A simpler approach, and one that works with non-SASL binds, would be to
configure pass-through authentication and perform saslauthd/kerberos5
authentication. As users change their passwords (against your kerberos
server, via some unspecified process), you could replace their
userPassword
entries with {SASL}user@realm (as described in the Admin guide) and do
away
with hashed password entries altogether.


If I follow this model, according to the documentation:

    "Where an entry has a "{SASL}" password value, OpenLDAP delegates
    the whole process of validating that entry's password to Cyrus SASL."

Supposing that we configure SASL to use Kerberos5 authentication, will
our current standard applications (Postfix, Dovecot, Shibboleth, Apache
etc.) need to be configured to include GSSAPI SASL method?

No. If you use pass-through authentication like this, then your LDAP server is specifically NOT using SASL/GSSAPI, but passing the credentials THROUGH. I.e., you still bind with a username and password to LDAP, which then authenticates that against the KDC.

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration