ldap simple bind with kerberos passwords

[Turbo Fredriksson]

Quoting Karen R McArthur <kmcarthu at bates.edu>:

> Passwords are stored in the kerberos database.

> All passwords in ldap 
> are set to {SASL}principle at REALM (I've also tried 
> {KERBEROS}principle at REALM).

This is two different things. Either you have the password in the LDAP
database, or you don't. If you use the {SASL} ({KERBEROS} is deprecated,
and no longer availible - {SASL} superseeds it), then what' "you're"
saying is "Talk to SASL for verifying this password". In (Cyrus) SASL
you can have a multitude of ways of storing passwords - Kerberos is
just one of them...

> All ldap "People" have a kerberos record and also the "krb5Principal" objectClass.

This stricly speaking not _required_. Mainly (?) used to simplify ACL/ACI
writing...

> Is this an ldap configuration issue?  Or is it kerberos?  Any ideas 
> would be greatly appreciated!

If I could venture a guess (without looking/knowing exactly
how you've configured the systems), I'd say it's solely a
(Cyrus) SASL problem...

Do you run the 'saslauthd' on the LDAP server? Is it configured
correctly? Are you _running_ it correctly?


If you use Kerberos, then you'd need the '-a kerberos5' option...