[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: can I use a kerberos ticket with ldapsearch (and ldap libraries)



On Fri, 2002-04-12 at 21:40, Howard Chu wrote:
> You can do this if your Kerberos installation includes libgss, and you also
> need to install Cyrus SASL, then reconfigure/rebuild OpenLDAP with SASL
> support.

Of course.  I did mention that I already have OpenLDAP doing pass-thru
authentication against kerberos (each user has a {kerberos} entry in
userPassword).  

What I really want to know is if I can get a kerberos ticket ahead of
time and use it with LDAP, through kinit.  This is for the purpose of
binding as administrator.

What principal do I use when I kinit (say when I want to bind as the
manager) and do I have to pass any special options to ldapsearch to use
the ticket.  Also, can any application that links against the ldap
libraries (such as php_ldap) transparently use the ticket?  That's my
real question. 

Most apps need a keytab file that the service (LDAP) uses to verify that
the ticket is authentic.  I've seen no mention of this in OpenLDAP
stuff.  I know that it's done through cyrus SASL, though, so I may look
there.

Normally OpenLDAP can talk to kerberos because it's the one requesting
the ticket.  In this case I request the ticket and pass it to LDAP. 
ldapsearch does have a "-k" option that seems to indicate this is what
it would do but it only works with krb4.

Does that make sense?

Michael


> 
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
> 
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Michael Torrie
> > Sent: Friday, April 12, 2002 7:16 PM
> > To: openldap-software@OpenLDAP.org
> > Subject: can I use a kerberos ticket with ldapsearch (and ldap
> > libraries)
> >
> >
> > I've searched for this, and found some info, but I'm still confused.
> >
> > If openldap was configured appropriately, can I bind to LDAP using a
> > kerberos ticket obtained with kinit?  I realize there are ACLs to deal
> > with, and kerberos support has to be turned on in ldap.  Right now I
> > have my manager entity have a kerberos password in the slapd.conf file.
> > When I bind as manager and give the password, slapd is able to verify
> > that password using kerberos.  But can I init to that principal first
> > and then use ldapsearch?  If so, can I also use ldap libraries and
> > things like the php_ldap stuff with this ticket too?
> >
> > I saw an option -k in ldapsearch, but that has to do with krb5 and
> > LDAPv2.  I'm trying to do an LDAPv3 system.
> >
> > Any pointers to docs would be great.  I already have an LDAP system set
> > up (using kerberos for password verification) and Samba 2.2.2 working
> > great.  Just want to know about the kerberos ticket thing.
> >
> > Thanks,
> > Michael
> >
> >
> >
> > --
> > Public key available from http://students.cs.byu.edu/~torriem
> >
> >
> >
-- 
Public key available from http://students.cs.byu.edu/~torriem


Attachment: signature.asc
Description: This is a digitally signed message part