OpenLDAP to Kerberos, Take 2
Wes Modes
wmodes at ucsc.edu
Fri Feb 29 15:28:15 EST 2008
Earlier I asked a few questions about OpenLDAP authenticating via
Kerberos. I'm going to back up a bit and ask a more general question to
ensure I have an adequate understanding to go further into the details
of a solution.
On a Kerberos list I was asking for a little bit of help, and the answer
I got revealed that maybe I don't understand as much about OpenLDAP's
interaction with Kerberos as I'd thought.
In general, I am trying to authenticate a login and password received
via an OpenLDAP client (in this case SMB via the smbldap-tools) with the
logins and passwords held in a Kerberos server elsewhere. Is this a
legitimate use of these services? Am I thinking about this wrong? If
so, what else do I need to know?
I thought it was possible that I could have an ldap-bind request
referred via SASL/GSSAPI to do a Kerberos authentication.
But on this Kerberos list, here's the response I got.
A KDC does not speak GSSAPI nor SASL. A KDC issues tickets. You use
SASL-GSSAPI-KRB5 when you want to establish an authenticated connection
to an application service for which a service principal exists within
the KDC database. The KDC is not an application service.
As Jeff pointed out, [you can't do that] with GSSAPI. What you might be
looking for is slapd code to take a username and password and do in effect
a kinit and a verify tgt, or have a sasl plugin do it for your. I don't know
of one.
But on an OpenLDAP list I got:
There is an ugly hack: having a userPassword field with "{SASL}<Kerberos
principal>" in LDAP you can employ saslauthd's Kerberos backend. We use
it as a crutch for a web application which can only authenticate against
an LDAP directory
Perhaps you can help me understand or reconcile these responses. Maybe
I will come to a better understanding that will help me either come
closer to a solution or rephrase my question in a way that is useful.
Thanks.
Wes
Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208
More information about the Kerberos
mailing list