Re: Openldap authenticating against Kerberos server for userPassword

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Thursday, July 01, 2004 2:13 PM -0400 Frank Swasey 
<Frank.Swasey@uvm.edu> wrote:

> Today at 12:54pm, tuliol@sybatech.com wrote:
>
> > Has anybody been successful in using a Kerberos server to authenticate
> > openldap user entries?
>
> Are you attempting to have people who already have Kerberos tickets
> authenticate to OpenLDAP or have people give their Kerberos password to
> OpenLDAP and be authenticated?

> From the much clearer explanation he emailed me off of the list:

> I want to setup an openldap directory that authenticates against a 
Microsoft
> Active directory Kerberos server.  Right now the test server running the
> openldap server is a Redhat Linux AS 3 Server and it can authenticate 
using
> pam against the MS AD Kerberos server.
>
> Can you give me some guidance in how to do this?
>
> I have saslauth running with (/usr/sbin/saslauthd -m /var/run/saslauthd -a
> kerberos5)  I am not sure if that is something I need.
>
> Each user entry in the directory have the following kerberos attributes:
> krb5PrincipalName: stest75@UNIV.UNIV.EDU
> userPassword: {SASL}stest75@UNIV.UNIV.EDU
>
> I also have a /usr/lib/sasl2/slapd.conf with:
> pwcheck_method:saslauthd
> saslauthd_path:/var/run/saslauthd/mux
> keytab:/etc/krb5.keytab
>
> Any help will be appreciated.

Basically, it sounds like OpenLDAP needs to authenticate against a 
Microsoft KDC to verify the user's password.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html