SASL support for kldap

Zoran Pericic zpericic at netst.org
Sun Nov 13 12:25:12 EST 2011 

On 09.01.2011 22:34, Zoran Pericic wrote:
> This patch add support for SASL auth to LDAP server. It support any 
> SASL auth method and it support separate options for kdc, kadmin, 
> kpasswd.
>
> I have not touch e-Directory stuffs but I believe it could be removed.
>
> This options are per global for server:
> ldap_debug - LDAP debug level, see ldap_set_option(3)
> ldap_starttls - Should we start StartTLS. StartTLS would not be issued 
> if server uri begins with ldaps. Acceptable are any integers, yes/no, 
> true/false
>
> Thease options could be separate per service by replacing ldap_ with 
> ldap_kdc_, ldap_kadmin_, ldap_kpasswd.
> ldap_auth_method - "none" for anonymous bind, "simple" for simple bind 
> and "sasl" for SASL bind
> ldap_sasl_mech - See SASL documentations.
> ldap_sasl_user - Authorization user. See SASL documentations.
> ldap_sasl_auth_user - Authentication user. See SASL documentations.
> ldap_sasl_realm - See SASL documentations.
> ldap_sasl_secret - See SASL documentations.
> ldap_tls_cacert_file - Filename of CA certificate file.
> ldap_tls_cacert_dir - Path to CA certification dir.
> ldap_tls_cert_file - Certificate we could use for auth
> ldap_tls_cert_key_file - Certificate key we could use for auth
> ldap_tls_reqcert - "none", "allow", "try", "demand", "hard". See 
> SSL/LDAP documentation.
> ldap_tls_crl_file - CRL file. Depands on SSL implementation. See 
> ldap_set_option(3)
> ldap_tls_crlcheck - "none", "peer", "all". Check CRL. Depands on SSL 
> implementation. See ldap_set_option(3)
>
> Here is sample config for SASL EXTERNAL
>
> [dbmodules]
>     ldapconf = {
>         dbname = ldap
>         db_library = kldap
>         ldap_kerberos_container_dn = "ou=Kerberos,dc=example"
>         ldap_servers = ldap://server.example
>         ldap_starttls = 1
>         ldap_conns_per_server = 5
>         ldap_auth_method = sasl
>         ldap_sasl_mech = EXTERNAL
>         ldap_tls_cacert_file = /etc/pki/tls/certs/cacert.pem
>         ldap_tls_cert_file = /etc/pki/tls/certs/server.pem
>         ldap_tls_cert_key_file = /etc/pki/tls/private/server.key
>         ldap_tls_reqcert = demand
>         }
>
> Best regard,
> Zoran Pericic

Attached patch for 1.9.1.

Best ragards,
Zoran Pericic

-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-1.9.1-sasl.patch
Type: text/x-patch
Size: 58549 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20111113/612b916e/attachment.bin

More information about the krbdev mailing list