[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password-less operation

To: openldap-technical@openldap.org
Subject: Re: Password-less operation
From: Buchan Milne <bgmilne@staff.telkomsa.net>
Date: Wed, 8 Feb 2012 12:28:01 +0200
Cc: Jean-Luc Wasmer <openldap@2012.jl.wasmer.ca>
In-reply-to: <20120207232233.GA14524@oggy.wasmer.ca>
References: <20120207232233.GA14524@oggy.wasmer.ca>
User-agent: KMail/1.13.7 (Linux/2.6.38.8-desktop-9.mga; KDE/4.6.5; x86_64; ; )

On Wednesday, 8 February 2012 01:22:33 Jean-Luc Wasmer wrote:
> Hi,
> 
> The user db on my system is stored in LDAP and integrated with PAM and NSS.
> The LDAP db also contain address book data for each user. I would like to
> be able to call ldap utilities (e.g. ldapsearch) without having the user
> to enter his/her password everytime. I would also like for scripts running
> as those users to have access to the respective LDAP entries. I noticed
> ldapsearch supports SASL binds, so I was wondering if that could be used
> in conjunction with Kerberos to accomplish my goal

Yes.

> (from what I
> understand, the kinit command would have to be called before ldapsearch).

You would need to have a TGT. In a Kerberos environment, you should normally 
have things in place to ensure this (e.g. pam_krb5 for auth and session would 
accomplish getting an initial TGT on a login session).

> Is there any other way to do this?

There are other SASL mechs that may be of use, but also require other 
infrastructure or credential distribution. Kerberos/GSSAPI has other 
advantages as well, due to wide support/adoption.

Regards,
Buchan

References:
- Password-less operation
  - From: Jean-Luc Wasmer <openldap@2012.jl.wasmer.ca>

Prev by Date: Controlled LDAP Proxy/Relay
Next by Date: Re: Got error while enabling SASL
Index(es):
- Chronological
- Thread