[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Mapping userPassword to Kerberos 5

To: "'Stephen Frost'" <sfrost@snowman.net>
Subject: RE: Mapping userPassword to Kerberos 5
From: "Howard Chu" <hyc@highlandsun.com>
Date: Wed, 6 Aug 2003 10:32:33 -0700
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <20030806165601.GM12198@ns.snowman.net>

> -----Original Message-----
> From: Stephen Frost [mailto:sfrost@snowman.net]

> * Howard Chu (hyc@highlandsun.com) wrote:
> > > It might be enough to compile with --enable-spasswd
> (SASL) and to then
> > > use {SASL} in the userPassword.  I'd like to know if this
> > > actually works or not...
> >
> > Why is this any better?
>
> Mainly because it'd go through SASL and gssapi and we wouldn't have to
> enable kpasswd and add the associated libs (if there are any?  I think
> there are some you need...) in the compile for the Debian OpenLDAP
> packages.  I realize the security implications and, as you mentioned,
> pointed them out previously.

I guess this is possible using saslauthd. I never use it, since I have slapd
handling SASL's backend. For saslauthd it actually uses the Kerberos
libraries directly, not via GSSAPI. Loking at the code, I just noticed
there's a major problem with using {SASL}; while it will allow simple binds
to succeed, it will throw SASL binds into an infinite loop. (I suppose we
should add a check to prevent this loop, but you're still left with the
problem of finding a valid password to check.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

References:
- Re: Mapping userPassword to Kerberos 5
  - From: Stephen Frost <sfrost@snowman.net>

Prev by Date: Re: Mapping userPassword to Kerberos 5
Next by Date: RE: Mapping userPassword to Kerberos 5
Index(es):
- Chronological
- Thread