[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Does Kerb / SASL prevent simple binds?



While you can use a Kerberos domain controller as a fancy password
store for simple authentication, this isn't Kerberos authentication.
Kerberos authentication requires the Kerberos-aware applications
(the LDAP/SMTP/IMAP/POP/... clients and servers).

At 07:26 AM 2001-09-04, Kevin J. McCarthy wrote:
>I am using OpenLDAP as the authentication system for completely virtual
>users (no UID, no PAM, nada). Everything that needs to be done on the OS
>(mail delivery, FTP upload, etc.) is done through a single user account
>(virtuser). Works great!
> 
>I am wanting to "upgrade" to Kerberos but think it won't work since none
>of these virtual users will have the ability to get tickets. Is this
>correct?
> 
>The usual means of authentication (for POP, IMAP, RADIUS, FTP) is that
>the server collects the username and password from the client, does an
>LDAP search to determine the user's DN, then performs a simple bind to
>LDAP with the discovered DN and supplied password. A successful bind
>means they are authenticated.
> 
>Can this setup be Kerberized? I think I would need kerberized versions
>of all user-facing services (pop, imap, ftpd, radius) that are still
>capable of LDAP searches for config data (mailMessageStore,
>homeDirectory, etc.). Is that right?
> 
>Thanks,
>Kevin