Cool, this would be useful for me. I have to keep a service_passwd file
around for krb5kdc/kadmin even though I use TLS and EXTERNAL for
everybody else (and even have the kdc and kadmin use TLS for the
connections using the LDAPTLS_ env vars, but then they do SIMPLE binds
inside those sessions to the same dn's that the client certs already
provided).
Any hope of getting this integrated into the trunk?
Chris
On 2011/11/13 09:25, Zoran Pericic wrote:
> On 09.01.2011 22:34, Zoran Pericic wrote:
>> This patch add support for SASL auth to LDAP server. It support any
>> SASL auth method and it support separate options for kdc, kadmin,
>> kpasswd.
>>
>> I have not touch e-Directory stuffs but I believe it could be removed.
>>
>> This options are per global for server:
>> ldap_debug - LDAP debug level, see ldap_set_option(3)
>> ldap_starttls - Should we start StartTLS. StartTLS would not be issued
>> if server uri begins with ldaps. Acceptable are any integers, yes/no,
>> true/false
>>
>> Thease options could be separate per service by replacing ldap_ with
>> ldap_kdc_, ldap_kadmin_, ldap_kpasswd.
>> ldap_auth_method - "none" for anonymous bind, "simple" for simple bind
>> and "sasl" for SASL bind
>> ldap_sasl_mech - See SASL documentations.
>> ldap_sasl_user - Authorization user. See SASL documentations.
>> ldap_sasl_auth_user - Authentication user. See SASL documentations.
>> ldap_sasl_realm - See SASL documentations.
>> ldap_sasl_secret - See SASL documentations.
>> ldap_tls_cacert_file - Filename of CA certificate file.
>> ldap_tls_cacert_dir - Path to CA certification dir.
>> ldap_tls_cert_file - Certificate we could use for auth
>> ldap_tls_cert_key_file - Certificate key we could use for auth
>> ldap_tls_reqcert - "none", "allow", "try", "demand", "hard". See
>> SSL/LDAP documentation.
>> ldap_tls_crl_file - CRL file. Depands on SSL implementation. See
>> ldap_set_option(3)
>> ldap_tls_crlcheck - "none", "peer", "all". Check CRL. Depands on SSL
>> implementation. See ldap_set_option(3)
>>
>> Here is sample config for SASL EXTERNAL
>>
>> [dbmodules]
>> ldapconf = {
>> dbname = ldap
>> db_library = kldap
>> ldap_kerberos_container_dn = "ou=Kerberos,dc=example"
>> ldap_servers = ldap://server.example
>> ldap_starttls = 1
>> ldap_conns_per_server = 5
>> ldap_auth_method = sasl
>> ldap_sasl_mech = EXTERNAL
>> ldap_tls_cacert_file = /etc/pki/tls/certs/cacert.pem
>> ldap_tls_cert_file = /etc/pki/tls/certs/server.pem
>> ldap_tls_cert_key_file = /etc/pki/tls/private/server.key
>> ldap_tls_reqcert = demand
>> }
>>
>> Best regard,
>> Zoran Pericic
>
> Attached patch for 1.9.1.
>
> Best ragards,
> Zoran Pericic
>
>
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev