* Turbo Fredriksson (turbo@bayour.com) wrote:
> Quoting Benjamin Krein <superbenk@superk.org>:
>
> > I've been working through the docs at www.bayour.com and have run into a
> > snag due to the fact they are so dated and still work with Kerberos 4 as
> > well as 5 (I'm working with 5 only). In his doc, he states that you can
> > make the users in LDAP force authentication with the KDC by using the
> > following for the attribute userPassword:
> >
> > userPassword: {KERBEROS}principal@REALM
>
> This is to enable simple binds (ie '-x -D .. -W') and is not necessary
> for GSSAPI binds. To get this part working, I think one have to compile
> with '--enable-kpasswd'...
It might be enough to compile with --enable-spasswd (SASL) and to then
use {SASL} in the userPassword. I'd like to know if this actually works
or not...
> The only reason why I still use 'userPassword: {KERBEROS}principal@REALM'
> in every (user) object is because I _need_ to be able to do simple binds,
> and I don't want separate passwords for the two methods (maybe I should,
> a, well... :)
[...]
> With OpenLDAP 2.1.22, you MUST (!?) use the sasl-regexp option...
It's not the same thing as you pointed out above. One is for simple
binds using a password given to slapd in plaintext and the other is
using SASL to do the bind.
> > I'm using Debian 3 sid with OpenLDAP 2.1.22, Kerberos 5, libsas2-gssapi
> > package 2.1.12, SASL 2.1.15.
>
> I've just started with OpenLDAP 2.1.22, Cyrus SASL 2.1.12, so I'm not 100%
> certain how to get it working properly.
Try using {SASL} instead since we no longer compile the Debian packages
with --enable-kpasswd... If it doesn't work I'd like to know.
Thanks,
Stephen
Attachment:
pgpEVNhfRPj1q.pgp
Description: PGP signature