[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Preauth Issue with SASL-Passthrough and Kerberos Backend
Am Fri, 6 Oct 2017 13:43:34 +0200
schrieb Ulrich Tehrani <u_tehrani@yahoo.de>:
> Hi all,
>
> i setup an openldap server which is used as MIT-Kerebros backend.
>
> User-Principals have - besides the kerberos attributes - appropriate
> objectclasses (e.g. simplesecurityObject, organizationalRole) to make
> also a simple authentication with the attribut userpassword possible.
>
> To consolidate both credentials i made a setup of SASL-Pasthrough with
> backend Kerberos. So i set the value of the userpassword attribut to.
>
> {SASL}<user>@<realm> and made the required configurations for the
> saslauthd.
>
> With this configuration all kind of authentications will use the
> kerberos-password.
>
> I made various tests but there seems to be an issue with
> preauthentication in openldap.
>
>
> I got the follwoing result:
>
> =>testsaslauthd is always working if the preauth flag is on or off
>
> =>ldapsearch -x is only working with preauth-flag disabled.
>
> => It makes no difference if MIT Kerberos use its normal backend
>
>
> Keep in mind: For clear testing condtions saslauthd-caching has to
> be disabled !
>
> Don't use the -c Option in saslauthd - otherwise it could happen that
> your ldapsearch -x is working because you had success with a former
> testsaslauthd-command !
>
> Has someone a similar setup which is working with enabled preauth ?
>
> Or does someone know if this is supported or not ?
>
> I use LDAP 2.4.44 with cyrus-sasl-2.1.23.
I had set up such an environment, but in the end a kerberized
environment is easier to handle than a multitude of authentication
services. For security reason you should not mix User Data and Kerberos
Data. I would recommend to set up two different databases.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E