OpenLDAP to Kerberos, Take 2

paul paul at subsignal.org
Tue Mar 4 04:44:36 EST 2008


Wes Modes schrieb:
>>> But on an OpenLDAP list I got:
>>>
>>>     There is an ugly hack: having a userPassword field with
>>>     "{SASL}<Kerberos principal>" in LDAP you can employ saslauthd's
>>>     Kerberos backend. We use it as a crutch for a web application which
>>>     can only authenticate against an LDAP directory
>>>     
>> And what that does is exactly what's described above: it causes slapd to
>> take the username and password and do a kinit and ticket verification.
>> (What it actually does is hand the username and password off to saslauthd,
>> which then does that, but for your purposes it amounts to the same thing.)
>>   
> Where does one get more info on this ugly hack? 
> 
> What you described is precisely what I was hoping for.  However, I hoped 
> it would be commonplace and elegant.  But ugly hacks have their place.
Hi,

before going down this route you might investigate adding SASL GSSAPI to 
smbldap-tools. I took a quick look at the source code and it seems 
straightforward to add Authen::SASL bind capabilities.
You need to find out if you have access to a ticket when the script is 
called thought. You might ask the samba folks here...

cheers
  Paul




More information about the Kerberos mailing list