Re: pass-through auth method

[Frank Swasey <Frank.Swasey@uvm.edu>]

With 2.1 the direct connection from OpenLDAP to Kerberos for password
validation via setting the userPassword attribute to
{KERBEROS}principal@realm was deprecated and jumping through hoops is
required to make it work.  The recommendation (and a lot of traffic on
openldap-software) was generated at that time about how to convert to
using userPassword values of {SASL}principal@realm and getting saslauthd
configured to do the actual Kerberos conversation to authenticate the
password with the principal.

I am using it on my production machines and here's the basic checklist:

1) generate a machine host/fqdn@realm principal

2) set up a keytab for saslauthd to use that has that principal in it

3) set up the /lib/sasl2/slapd.conf file to use saslauthd.  Contents
would be:
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux

(that second line is unique to RedHat's saslauthd setup)

4) fire up saslauthd

5) If you are using RedHat, grab their SRPM and build the testsaslauthd
program so you can test that saslauthd is working (Why RH doesn't
include that very useful program in their RPM is way beyond the scope of
my comprehension)

Frank

On Wed, 29 Sep 2004 at 10:16am, Andrew Bacchi wrote:

> I am looking for an example or HowTo on setting up LDAP to use the
> pass-through authentication method with kerberos.  The SASL method
> allows kerberos to store passwords in the LDAP database, the
> pass-through method passes the authentication request from LDAP to the
> existing kerberos kdc.
>
> Is anyone doing this, or point me to this information?  Thanks.
>

-- 
Frank Swasey                    | http://www.uvm.edu/~fcs
Informtn Tech Profssnl Sr       | Always remember: You are UNIQUE,
University of Vermont           |    just like everyone else.
        === God bless all inhabitants of your planet ===