Howard Chu wrote:
> Dan White wrote:
>> On 12/28/14 11:24 -0500, Brendan Kearney wrote:
>>> On Sun, 2014-12-28 at 02:50 +0000, Howard Chu wrote:
>>>> Brendan Kearney wrote:
>>>> > i want to use the "pass-through" auth mechanism with sasl, so that i
>>>> > validate credentials against the kerberos database, and not have to
>>>> > maintain passwords in multiple places.
>>>
>>> ok, then i have misunderstood PLAIN vs SIMPLE, it seems. i will back up
>>> and explain what i am trying to do.
>>>
>>> apache, dhcp and freeradius can all use ldap for various functionality.
>>> they all use what i now believe to be SIMPLE auth, where they are using
>>> "cn=user,dc=domain,dc=tld" as ldap usernames. these processes are using
>>> ldap for authentication, whereas i have only kerberos authentication
>>> setup in my environment (and ldap authorization). my hope was that sasl
>>> could allow me to push the ldap authN request through to kerberos, and
>>> in essence proxy the authentication.
>>
>> This is a valid use of pass-through in my opinion,
>
> Too many moving parts, and all unnecessary.
I agree here but..
> He already has his KDC data stored
> in LDAP, he should just use {K5KEY} password scheme and be done with it.
..AFAIK this requires using slapo-smbk5pwd which only works with heimdal's
libs and KDC schema.
I guess Fedora does not ship OpenLDAP builds with slapo-smbk5pwd and it
definitely uses MIT Kerberos.
Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature