Help with SASL/GSSAPI to remote Kerberos server

Douglas E. Engert deengert at anl.gov
Wed Feb 20 10:05:27 EST 2008


Wes Modes wrote:
> Reason for this is that eventually, our campus kerberos
> service will be replaced with a secure LDAP auth.

OH! Are you sure this is a good idea? (This is the Kerberos list)
Are you looking at Samba or AD as the LDAP server? If so they both
have Kerberos (Samba 4 does at least) So you may want to look
a little further down the road before dropping Kerberos.

> 
> But it remains an open question for me whether it is possible to have
> Samba/smbldap-tools ask LDAP/GSSAPI which indirectly asks Kerberos for
> authentication.

As Jeff pointed out, not with GSSAPI. What you might be looking for
is slapd code to take a username and password and do in effect a kinit
and a verify tgt, or have a sasl plugin do it for your. I don't know
of one.

You might want to ask on a sasl list, or OpenLDAP list. You will
not get much help on a Kerberos list, as the intent of Kerberos is
to never send the password over the network.

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444



More information about the Kerberos mailing list