Help with SASL/GSSAPI to remote Kerberos server
Douglas E. Engert
deengert at anl.gov
Wed Feb 20 10:05:27 EST 2008
Wes Modes wrote:
> Reason for this is that eventually, our campus kerberos
> service will be replaced with a secure LDAP auth.
OH! Are you sure this is a good idea? (This is the Kerberos list)
Are you looking at Samba or AD as the LDAP server? If so they both
have Kerberos (Samba 4 does at least) So you may want to look
a little further down the road before dropping Kerberos.
>
> But it remains an open question for me whether it is possible to have
> Samba/smbldap-tools ask LDAP/GSSAPI which indirectly asks Kerberos for
> authentication.
As Jeff pointed out, not with GSSAPI. What you might be looking for
is slapd code to take a username and password and do in effect a kinit
and a verify tgt, or have a sasl plugin do it for your. I don't know
of one.
You might want to ask on a sasl list, or OpenLDAP list. You will
not get much help on a Kerberos list, as the intent of Kerberos is
to never send the password over the network.
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the Kerberos
mailing list