Jose Gonzalez Gomez wrote:
Hi there,
I've been searching the web and the mailing list for a solution to
this but haven't been able to find an answer. Sorry if this has been
answered before...
I have managed to install an authentication server using mit-krb5
1.3.3, cyrus-sasl 2.1.18 and openldap 2.1.26. Right now I'm able to
authenticate any user on my network using pam/nss accessing Kerberos
and OpenLDAP, so in order for an user to login she must have a
corresponding Kerberos principal and a LDAP entry with
objectClass=posixAccount (among others). I'm also able to
authenticate to LDAP using GSSAPI/Kerberos, and simple BIND using
{SASL}user@REALM in the userPassword attribute (as it seems that the
{KERBEROS} way is deprecated) checking the password against
saslauthd/Kerberos database.
So what's the problem? It seems that to build a LDAPv3 compliant
server I must provide DIGEST-MD5 authentication to the LDAP server,
and this is what I don't know how to achieve in a clean manner. In
order to have DIGEST-MD5 working I must have a clear text password
stored somewhere (correct me if I'm wrong), but it seems that
Kerberos doesn't have it, or I don't know how to use it in the
DIGEST-MD5 authentication process. It seems that Cyrus SASL *does
need* this password stored in its sasldb2 database to be able to
successfully offer DIGEST-MD5, but this would mean that I'd have
duplicated information and I'd have to sync both databases (Kerberos
and SASL) whenever a password change occurs. So, am I missing
anything here? Is there any clean solution for this?
I believe you already received an answer to this question on the
cyrus-sasl mailing list.