OpenLDAP to Kerberos, Take 2

Wes Modes wmodes at ucsc.edu
Fri Feb 29 17:41:29 EST 2008


>> But on an OpenLDAP list I got:
>>
>>     There is an ugly hack: having a userPassword field with
>>     "{SASL}<Kerberos principal>" in LDAP you can employ saslauthd's
>>     Kerberos backend. We use it as a crutch for a web application which
>>     can only authenticate against an LDAP directory
>>     
>
> And what that does is exactly what's described above: it causes slapd to
> take the username and password and do a kinit and ticket verification.
> (What it actually does is hand the username and password off to saslauthd,
> which then does that, but for your purposes it amounts to the same thing.)
>   
Where does one get more info on this ugly hack? 

What you described is precisely what I was hoping for.  However, I hoped 
it would be commonplace and elegant.  But ugly hacks have their place.

W.

-- 

Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services
459-5208



More information about the Kerberos mailing list