[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Mapping userPassword to Kerberos 5



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Stephen Frost

> It might be enough to compile with --enable-spasswd (SASL) and to then
> use {SASL} in the userPassword.  I'd like to know if this
> actually works or not...

Why is this any better?

> > With OpenLDAP 2.1.22, you MUST (!?) use the sasl-regexp option...

The sasl-regexp option ALLOWS you to map the SASL authentication DN into some
other DN. You are not required to use it, but it's more convenient than just
being forced to use the SASL DNs as in OpenLDAP 2.0.
>
> It's not the same thing as you pointed out above.  One is for simple
> binds using a password given to slapd in plaintext and the other is
> using SASL to do the bind.
>
> > > I'm using Debian 3 sid with OpenLDAP 2.1.22, Kerberos 5,
> libsas2-gssapi
> > > package 2.1.12, SASL 2.1.15.
> >
> > I've just started with OpenLDAP 2.1.22, Cyrus SASL 2.1.12,
> so I'm not 100%
> > certain how to get it working properly.
>
> Try using {SASL} instead since we no longer compile the
> Debian packages
> with --enable-kpasswd...  If it doesn't work I'd like to know.

What exactly are you hoping to accomplish by using SASL to validate a
simple-bind password? How does this have anything to do with using Kerberos
to validate a simple-bind?

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support