OpenLDAP to Kerberos, Take 2

Wes Modes wmodes at ucsc.edu
Fri Feb 29 15:28:15 EST 2008 

Earlier I asked a few questions about OpenLDAP authenticating via 
Kerberos.  I'm going to back up a bit and ask a more general question to 
ensure I have an adequate understanding to go further into the details 
of a solution.

On a Kerberos list I was asking for a little bit of help, and the answer 
I got revealed that maybe I don't understand as much about OpenLDAP's 
interaction with Kerberos as I'd thought. 

In general, I am trying to authenticate a login and password received 
via an OpenLDAP client (in this case SMB via the smbldap-tools) with the 
logins and passwords held in a Kerberos server elsewhere.  Is this a 
legitimate use of these services?  Am I thinking about this wrong?  If 
so, what else do I need to know?

I thought it was possible that I could have an ldap-bind request 
referred via SASL/GSSAPI to do a Kerberos authentication. 

But on this Kerberos list, here's the response I got.

    A KDC does not speak GSSAPI nor SASL.  A KDC issues tickets.  You use 
    SASL-GSSAPI-KRB5 when you want to establish an authenticated connection 
    to an application service for which a service principal exists within 
    the KDC database.  The KDC is not an application service.

    As Jeff pointed out, [you can't do that] with GSSAPI. What you might be 
    looking for is slapd code to take a username and password and do in effect 
    a kinit and a verify tgt, or have a sasl plugin do it for your. I don't know
    of one.

But on an OpenLDAP list I got:

    There is an ugly hack: having a userPassword field with "{SASL}<Kerberos 
    principal>" in LDAP you can employ saslauthd's Kerberos backend. We use 
    it as a crutch for a web application which can only authenticate against 
    an LDAP directory

Perhaps you can help me understand or reconcile these responses.  Maybe 
I will come to a better understanding that will help me either come 
closer to a solution or rephrase my question in a way that is useful.

Thanks.

Wes


Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208

More information about the Kerberos mailing list