[Date Prev][Date Next] [Chronological] [Thread] [Top]

Does Kerb / SASL prevent simple binds?



I am using OpenLDAP as the authentication system for completely virtual
users (no UID, no PAM, nada). Everything that needs to be done on the OS
(mail delivery, FTP upload, etc.) is done through a single user account
(virtuser). Works great!
 
I am wanting to "upgrade" to Kerberos but think it won't work since none
of these virtual users will have the ability to get tickets. Is this
correct?
 
The usual means of authentication (for POP, IMAP, RADIUS, FTP) is that
the server collects the username and password from the client, does an
LDAP search to determine the user's DN, then performs a simple bind to
LDAP with the discovered DN and supplied password. A successful bind
means they are authenticated.
 
Can this setup be Kerberized? I think I would need kerberized versions
of all user-facing services (pop, imap, ftpd, radius) that are still
capable of LDAP searches for config data (mailMessageStore,
homeDirectory, etc.). Is that right?
 
Thanks,
Kevin