Kerberos and simple binds using same password database?

[Aleksandar Milivojevic <amilivojevic@pbl.ca>]

I've managed to configure slapd to use Kerberos for authentication 
(using SASL/GSSAPI).  This works great if user holds a valid ticket, and 
if (s)he is using Kerberos aware client such as ldapsearch.

However, if user isn't using Kerberos aware client, (s)he will be 
authenticated using the password stored in userPassword attribute (using 
passwords instead of Kerberos tickets is OK in my case, as long as 
connection is over TLS).

Now, the question.  Is it possible to configure slapd not to use 
userPassword attribute in this case, but rather attempt to check user's 
password against Kerberos?  Something "saslauthd -a kerberos5" is doing. 
 Or (more general) to use saslauthd to perform password checking (which 
can check it against Kerberos database).

I guess for this to work, an opposite of sasl-regexp option would need 
to exist (to map LDAP entity to Kerberos user@realm type of entity), but 
I couldn't find anything like that.  Which makes me to believe it might 
not be possible to do.

By searching around I found some questions/answers about using LDAP as 
store for Kerberos.  While implementing something like that (if 
possible) might solve a problem of having slapd and Kerberos use same 
passwords, in this case I can't take that route.  Kerberos realms 
(plural) that users are in are part of several Active Directory domains, 
so technically, passwords are already stored in AD's LDAP database and 
they need to stay there.

--
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7