Re: GSSAPI vs GSS-SPNEGO

[Howard Chu <hyc@symas.com>]

Dan White wrote:
> On 12/28/14 11:24 -0500, Brendan Kearney wrote:
> > On Sun, 2014-12-28 at 02:50 +0000, Howard Chu wrote:
> > > Brendan Kearney wrote:
> > > > i want to use the "pass-through" auth mechanism with sasl, so that i
> > > > validate credentials against the kerberos database, and not have to
> > > > maintain passwords in multiple places.
> >
> > ok, then i have misunderstood PLAIN vs SIMPLE, it seems.  i will back up
> > and explain what i am trying to do.
> >
> > apache, dhcp and freeradius can all use ldap for various functionality.
> > they all use what i now believe to be SIMPLE auth, where they are using
> > "cn=user,dc=domain,dc=tld" as ldap usernames.  these processes are using
> > ldap for authentication, whereas i have only kerberos authentication
> > setup in my environment (and ldap authorization).  my hope was that sasl
> > could allow me to push the ldap authN request through to kerberos, and
> > in essence proxy the authentication.
>
> This is a valid use of pass-through in my opinion,

Too many moving parts, and all unnecessary. He already has his KDC data 
stored in LDAP, he should just use {K5KEY} password scheme and be done 
with it.

You're just making extra work.

> but you'll want to
> protect the authentication as Howard mentioned over ldapi:/// ideally, or
> tls otherwise.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/