RE: Crazy idea - Hybrid Authentication

["Howard Chu" <hyc@symas.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Frank Swasey

> Well, you can certainly set it up to use saslauthd for some
> entries and
> regular LDAP text comparison for other entries purely by what
> you put in
> the userPassword attribute.  The problem you will get into is how to
> write an ACL that will allow those people who are using text
> comparison
> to change the value of their userPassword attribute and keep
> those that
> have {SASL}uid@realm from touching theirs.
>
> I know that this works with a combination of {KERBEROS}uid@realm and
> plain text values in 2.1.22 -- and I assume it will work with
> {SASL} in 2.1.23.

Yes.

In OpenLDAP 2.2 you can specify ACLs based on attribute values (and
patterns), so the solution to the ACL problem is pretty easy:
	access to attr=userpassword val.regex=^{SASL}.*
		by * auth
	access to attr=userpassword
		by self write
		by * auth

> Today at 2:01pm, Gary Allen Vollink wrote:
>
> > I am aware of the possibility that this is an SASL question
> rather than
> > an OpenLDAP one.  If this is the case, please kindly let me know.
> >
> > Is it possible to set up OpenLDAP so that users can connect
> to OpenLDAP
> > and be authenticated to Kerberos if such an account exists, but
> > authenticated to plain text otherwise?  Only failing after
> being tried
> > against both.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support