Hi all, i setup an openldap server
which is used as MIT-Kerebros backend. User-Principals have -
besides the kerberos attributes - appropriate objectclasses
(e.g. simplesecurityObject, organizationalRole) to make also a
simple authentication with the attribut userpassword possible. To consolidate both
credentials i made a setup of SASL-Pasthrough with backend
Kerberos. So i set the value of the userpassword attribut to. {SASL}<user>@<realm> and made the required configurations for the saslauthd. With this configuration all
kind of authentications will use the kerberos-password. I made various tests but
there seems to be an issue with preauthentication in openldap. I got the follwoing result: =>testsaslauthd is always working if the preauth flag is on or off =>ldapsearch -x is only working with preauth-flag disabled. => It makes no difference if MIT Kerberos use its normal backend
Keep in mind: For clear
testing condtions saslauthd-caching has to be disabled ! Don't use the -c Option in
saslauthd - otherwise it could happen that your ldapsearch -x
is working because you had success with a former
testsaslauthd-command !
Has someone a similar setup which is working with enabled preauth ? Or does someone know if this is supported or not ? I use LDAP 2.4.44 with cyrus-sasl-2.1.23. Thanks in advance. Kind regards Uli-- =================================== Ulrich Tehrani Am Ulrichshof 19 79189 Bad Krozingen |