[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Kerberos and simple binds using same password database?
>>>>> "Aleksandar" == Aleksandar Milivojevic <amilivojevic@pbl.ca> writes:
Aleksandar> Now, the question. Is it possible to configure slapd
Aleksandar> not to use userPassword attribute in this case, but
Aleksandar> rather attempt to check user's password against
Aleksandar> Kerberos? Something "saslauthd -a kerberos5" is
Aleksandar> doing. Or (more general) to use saslauthd to perform
Aleksandar> password checking (which can check it against Kerberos
Aleksandar> database).
Eh, ?
userPassword: {SASL}turbo@REALM.TLD
That makes "whatever program" to check against Kerberos, via
LDAP->SASL->Kerberos.
Aleksandar> I guess for this to work, an opposite of sasl-regexp
Aleksandar> option would need to exist (to map LDAP entity to
Aleksandar> Kerberos user@realm type of entity), but I couldn't
Aleksandar> find anything like that. Which makes me to believe it
Aleksandar> might not be possible to do.
# Regexp for SASL authentication:
sasl-regexp
uid=(.*),cn=domain.tld,cn=gssapi,cn=auth
ldap:///c=SE??sub?(krb5PrincipalName=$1@REALM.TLD)
Extreamly simple (I have more for other needs), but works for me...
Aleksandar> Kerberos realms (plural) that users are in are part of
Aleksandar> several Active Directory domains, so technically,
Aleksandar> passwords are already stored in AD's LDAP database and
Aleksandar> they need to stay there.
Oh, plural... That changes things. I don't know if there is a 'toupper()'
thingie for REGEXP, but if you can find one (I really suck at REGEXP :)
you could use 'cn=(.*)' instead of 'cn=domain.tld' and then use
something like '$1@toupper($2)' in your REGEXP (NOTE: This don't obviosly
work - it's just an illustration!!!).
A quick thinking through this while I checked the mail for obvious errors
'reviled' my own thought - "I have more for other needs"!
Just stack them, one for each realm... Not very easy if you add/remove
realms all the time, but...
Have a look at http://www.bayour.com/LDAPv3-HOWTO.html, there should be
SOMETHING for you...