[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to get passthrough auth working with OpenLDAP and Kerberos

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
From: Chastity Blackwell <chas@aggregateknowledge.com>
Date: Thu, 26 Jan 2012 15:11:29 -0800
In-reply-to: <4F21D5F4.6010908@symas.com>
References: <1327522485.16182.17.camel@localhost.localdomain> <20120125221601.GI4556@dan.olp.net> <1327607031.16182.20.camel@localhost.localdomain> <20120126202313.GE4618@dan.olp.net> <1327614786.16182.23.camel@localhost.localdomain> <4F21D1E9.2090706@raffaelsahli.com> <4F21D5F4.6010908@symas.com>

On Thu, 2012-01-26 at 17:38 -0500, Howard Chu wrote:
> Raffael Sahli wrote:
> > No, authz-regexp is to map a sasl dn to a real user account in your ldap
> > directory.
> >
> > But your user is chas@test.com with a realm named test.com, your
> > userPassword should be {SASL}chas@KRBTEST
> 
> What the heck are you talking about? If the username is chas@test.com then 
> that is what goes in the password:
> 
>    userpassword: {SASL}chas@test.com
> 
> If the realm is actually KRBTEST then the username should be chas@KRBTEST.
> 
> > and also exists as a principal on your kerberos db ;)
> 

Okay, I'm a little confused here now. So here's what I have in
krb5.conf:

[libdefaults]
 default_realm = KRBTEST
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = yes

[realms]
 AKTEST = {
  kdc = ldapsandbox.test.com:88
  admin_server = ldapsandbox.test.com:749
  default_domain = test.com
}

[domain_realm]
 .agkn.net = KRBTEST
 agkn.net = KRBTEST

And when I look at my principals in Kerberos, this is what I have:

kadmin:  listprincs
K/M@KRBTEST
chas/admin@KRBTEST
chas@KRBTEST
host/ldapsandbox.test.com@KRBTEST
kadmin/admin@AKTEST
kadmin/changepw@AKTEST
kadmin/history@AKTEST
kadmin/ldapsandbox.test.com@KRBTEST
krbtgt/KRBTEST@KRBTEST
ldap/ldapsandbox.test.com@KRBTEST
root/admin@KRBTEST

So what should the userPassword attribute be set to? I assumed it should
be {SASL}chas@KRBTEST -- is that correct? I just want to make sure I'm
on the right track there.

Follow-Ups:
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Howard Chu <hyc@symas.com>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Chastity Blackwell <chas@aggregateknowledge.com>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Dan White <dwhite@olp.net>

References:
- Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Chastity Blackwell <chas@aggregateknowledge.com>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Chastity Blackwell <chas@aggregateknowledge.com>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Dan White <dwhite@olp.net>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Chastity Blackwell <chas@aggregateknowledge.com>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Raffael Sahli <public@raffaelsahli.com>
- Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Openldap 2.4.28 master/slave crash after upgrade?
Next by Date: Re: Trying to get passthrough auth working with OpenLDAP and Kerberos
Index(es):
- Chronological
- Thread