On Fri, 2002-04-12 at 21:40, Howard Chu wrote: > You can do this if your Kerberos installation includes libgss, and you also > need to install Cyrus SASL, then reconfigure/rebuild OpenLDAP with SASL > support. Of course. I did mention that I already have OpenLDAP doing pass-thru authentication against kerberos (each user has a {kerberos} entry in userPassword). What I really want to know is if I can get a kerberos ticket ahead of time and use it with LDAP, through kinit. This is for the purpose of binding as administrator. What principal do I use when I kinit (say when I want to bind as the manager) and do I have to pass any special options to ldapsearch to use the ticket. Also, can any application that links against the ldap libraries (such as php_ldap) transparently use the ticket? That's my real question. Most apps need a keytab file that the service (LDAP) uses to verify that the ticket is authentic. I've seen no mention of this in OpenLDAP stuff. I know that it's done through cyrus SASL, though, so I may look there. Normally OpenLDAP can talk to kerberos because it's the one requesting the ticket. In this case I request the ticket and pass it to LDAP. ldapsearch does have a "-k" option that seems to indicate this is what it would do but it only works with krb4. Does that make sense? Michael > > -- Howard Chu > Chief Architect, Symas Corp. Director, Highland Sun > http://www.symas.com http://highlandsun.com/hyc > Symas: Premier OpenSource Development and Support > > > -----Original Message----- > > From: owner-openldap-software@OpenLDAP.org > > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Michael Torrie > > Sent: Friday, April 12, 2002 7:16 PM > > To: openldap-software@OpenLDAP.org > > Subject: can I use a kerberos ticket with ldapsearch (and ldap > > libraries) > > > > > > I've searched for this, and found some info, but I'm still confused. > > > > If openldap was configured appropriately, can I bind to LDAP using a > > kerberos ticket obtained with kinit? I realize there are ACLs to deal > > with, and kerberos support has to be turned on in ldap. Right now I > > have my manager entity have a kerberos password in the slapd.conf file. > > When I bind as manager and give the password, slapd is able to verify > > that password using kerberos. But can I init to that principal first > > and then use ldapsearch? If so, can I also use ldap libraries and > > things like the php_ldap stuff with this ticket too? > > > > I saw an option -k in ldapsearch, but that has to do with krb5 and > > LDAPv2. I'm trying to do an LDAPv3 system. > > > > Any pointers to docs would be great. I already have an LDAP system set > > up (using kerberos for password verification) and Samba 2.2.2 working > > great. Just want to know about the kerberos ticket thing. > > > > Thanks, > > Michael > > > > > > > > -- > > Public key available from http://students.cs.byu.edu/~torriem > > > > > > -- Public key available from http://students.cs.byu.edu/~torriem
Attachment:
signature.asc
Description: This is a digitally signed message part