SASL support for kldap

Zoran Pericic zpericic at
Sun Jan 9 16:34:49 EST 2011

This patch add support for SASL auth to LDAP server. It support any SASL 
auth method and it support separate options for kdc, kadmin, kpasswd.

I have not touch e-Directory stuffs but I believe it could be removed.

This options are per global for server:
ldap_debug - LDAP debug level, see ldap_set_option(3)
ldap_starttls - Should we start StartTLS. StartTLS would not be issued 
if server uri begins with ldaps. Acceptable are any integers, yes/no, 

Thease options could be separate per service by replacing ldap_ with 
ldap_kdc_, ldap_kadmin_, ldap_kpasswd.
ldap_auth_method - "none" for anonymous bind, "simple" for simple bind 
and "sasl" for SASL bind
ldap_sasl_mech - See SASL documentations.
ldap_sasl_user - Authorization user. See SASL documentations.
ldap_sasl_auth_user - Authentication user. See SASL documentations.
ldap_sasl_realm - See SASL documentations.
ldap_sasl_secret - See SASL documentations.
ldap_tls_cacert_file - Filename of CA certificate file.
ldap_tls_cacert_dir - Path to CA certification dir.
ldap_tls_cert_file - Certificate we could use for auth
ldap_tls_cert_key_file - Certificate key we could use for auth
ldap_tls_reqcert - "none", "allow", "try", "demand", "hard". See 
SSL/LDAP documentation.
ldap_tls_crl_file - CRL file. Depands on SSL implementation. See 
ldap_tls_crlcheck - "none", "peer", "all". Check CRL. Depands on SSL 
implementation. See ldap_set_option(3)

Here is sample config for SASL EXTERNAL

     ldapconf = {
         dbname = ldap
         db_library = kldap
         ldap_kerberos_container_dn = "ou=Kerberos,dc=example"
         ldap_servers = ldap://server.example
         ldap_starttls = 1
         ldap_conns_per_server = 5
         ldap_auth_method = sasl
         ldap_sasl_mech = EXTERNAL
         ldap_tls_cacert_file = /etc/pki/tls/certs/cacert.pem
         ldap_tls_cert_file = /etc/pki/tls/certs/server.pem
         ldap_tls_cert_key_file = /etc/pki/tls/private/server.key
         ldap_tls_reqcert = demand

Best regard,
Zoran Pericic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5-1.8.2-sasl.patch
Type: text/x-patch
Size: 58444 bytes
Desc: not available
Url :

More information about the krbdev mailing list