[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Kerberos and DIGEST-MD5
Hi there,
I've been searching the web and the mailing list for a solution to
this but haven't been able to find an answer. Sorry if this has been
answered before...
I have managed to install an authentication server using mit-krb5
1.3.3, cyrus-sasl 2.1.18 and openldap 2.1.26. Right now I'm able to
authenticate any user on my network using pam/nss accessing Kerberos and
OpenLDAP, so in order for an user to login she must have a corresponding
Kerberos principal and a LDAP entry with objectClass=posixAccount (among
others). I'm also able to authenticate to LDAP using GSSAPI/Kerberos,
and simple BIND using {SASL}user@REALM in the userPassword attribute (as
it seems that the {KERBEROS} way is deprecated) checking the password
against saslauthd/Kerberos database.
So what's the problem? It seems that to build a LDAPv3 compliant
server I must provide DIGEST-MD5 authentication to the LDAP server, and
this is what I don't know how to achieve in a clean manner. In order to
have DIGEST-MD5 working I must have a clear text password stored
somewhere (correct me if I'm wrong), but it seems that Kerberos doesn't
have it, or I don't know how to use it in the DIGEST-MD5 authentication
process. It seems that Cyrus SASL *does need* this password stored in
its sasldb2 database to be able to successfully offer DIGEST-MD5, but
this would mean that I'd have duplicated information and I'd have to
sync both databases (Kerberos and SASL) whenever a password change
occurs. So, am I missing anything here? Is there any clean solution for
this?
Thanks in advance, best regards
Jose