>>But now I don't know what client the users might have - they may not have the nice client >>that OpenLdap provides, so we need to also authenticate via simple and hope for the same
>>result... but it seems to ignore the "userPassword: {SASL}usename" entry:
Kurt replied:
>This uses whatever password check method Cyrus SASL is configured
>to use (which can be per application). The default is SASLdb.
>The latest version of Cyrus SASL doesn't support Kerberos 5 check
>directly (thought it would be trivial to add), but you can do
>it via PAM. However, you could just use the "{KERBEROS}principal"
>scheme instead. Note: simple authentication should only be used
>when there is adequate privacy protections.
Strange that Cyrus would supply a complete Kerberos 5 implementation but not provide a check
directly... anyway I tried the "{KERBEROS}principal" scheme but could not get it to work.
Is that for Kerberos V4 only? I can only use V5.
Having OpenLDAP work with Kerberos 5 is wonderful. It's something we've been needing for a long time. But since I can't know that a client is also kerberized, I have to support simple authentication as well. I know it's not safe, but neither is telnet and we have to support that too (at least for now). So, if the Kerberos 5 check "would be trivial to add", who would have to add it? The Cyrus people, Openldap people or both? Who do I have to convince that this would REALLY be a worthwhile thing to do? Thanks for all your help.