[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Crazy idea - Hybrid Authentication
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Frank Swasey
> Well, you can certainly set it up to use saslauthd for some
> entries and
> regular LDAP text comparison for other entries purely by what
> you put in
> the userPassword attribute. The problem you will get into is how to
> write an ACL that will allow those people who are using text
> comparison
> to change the value of their userPassword attribute and keep
> those that
> have {SASL}uid@realm from touching theirs.
>
> I know that this works with a combination of {KERBEROS}uid@realm and
> plain text values in 2.1.22 -- and I assume it will work with
> {SASL} in 2.1.23.
Yes.
In OpenLDAP 2.2 you can specify ACLs based on attribute values (and
patterns), so the solution to the ACL problem is pretty easy:
access to attr=userpassword val.regex=^{SASL}.*
by * auth
access to attr=userpassword
by self write
by * auth
> Today at 2:01pm, Gary Allen Vollink wrote:
>
> > I am aware of the possibility that this is an SASL question
> rather than
> > an OpenLDAP one. If this is the case, please kindly let me know.
> >
> > Is it possible to set up OpenLDAP so that users can connect
> to OpenLDAP
> > and be authenticated to Kerberos if such an account exists, but
> > authenticated to plain text otherwise? Only failing after
> being tried
> > against both.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support