KERBEROS+SASL+OPENLDAP : login but no ticket

Sensei senseiwa at mac.com
Fri Feb 10 13:21:20 EST 2006


On 2006-02-10 15:16:07 +0100, "jeremy.briffaut at gmail.com" 
<jeremy.briffaut at gmail.com> said:

> Yes, It's the first solution that I have tried.
> login->pam_krb5->kerberos + ldap for account
> 
> And I would to test the login->pam_ldap->openldap->SASL->kerberos just
> for fun :)
> with this way, all client can connect to the server with ldap (no need
> of kerberos). Kerberos client can supplementary have a ticket. But I
> don't know if this is possible with just ldap in pam.
> But kerb and next ldap in pam works.


But this means that the password is in LDAP, you have NO credentials 
upon login. SASL/GSSAPI are meant to be used against kerberos granting 
access to some resources like ldap entries, not to obtain a ticket...

-- 
Sensei <senseiwa at mac.com>

Part of the inhumanity of the computer is that, once it is competently 
programmed and working smoothly, it is completely honest. (Isaac Asimov)




More information about the Kerberos mailing list