[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos and simple binds using same password database?

To: openldap-software@OpenLDAP.org
Subject: Re: Kerberos and simple binds using same password database?
From: Turbo Fredriksson <turbo@bayour.com>
Date: Wed, 29 Dec 2004 00:00:11 +0100
In-reply-to: <41D189DC.4030309@pbl.ca> (Aleksandar Milivojevic's message of "Tue, 28 Dec 2004 10:29:16 -0600")
Organization: LDAP/Kerberos expert wannabe
References: <41D189DC.4030309@pbl.ca>
User-agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.2 (gnu/linux)

>>>>> "Aleksandar" == Aleksandar Milivojevic <amilivojevic@pbl.ca> writes:

    Aleksandar> Now, the question.  Is it possible to configure slapd
    Aleksandar> not to use userPassword attribute in this case, but
    Aleksandar> rather attempt to check user's password against
    Aleksandar> Kerberos?  Something "saslauthd -a kerberos5" is
    Aleksandar> doing. Or (more general) to use saslauthd to perform
    Aleksandar> password checking (which can check it against Kerberos
    Aleksandar> database).

Eh, ?

userPassword: {SASL}turbo@REALM.TLD

That makes "whatever program" to check against Kerberos, via
LDAP->SASL->Kerberos.

    Aleksandar> I guess for this to work, an opposite of sasl-regexp
    Aleksandar> option would need to exist (to map LDAP entity to
    Aleksandar> Kerberos user@realm type of entity), but I couldn't
    Aleksandar> find anything like that.  Which makes me to believe it
    Aleksandar> might not be possible to do.

# Regexp for SASL authentication:
sasl-regexp
        uid=(.*),cn=domain.tld,cn=gssapi,cn=auth
        ldap:///c=SE??sub?(krb5PrincipalName=$1@REALM.TLD)

Extreamly simple (I have more for other needs), but works for me...


    Aleksandar> Kerberos realms (plural) that users are in are part of
    Aleksandar> several Active Directory domains, so technically,
    Aleksandar> passwords are already stored in AD's LDAP database and
    Aleksandar> they need to stay there.

Oh, plural... That changes things. I don't know if there is a 'toupper()'
thingie for REGEXP, but if you can find one (I really suck at REGEXP :) 
you could use 'cn=(.*)' instead of 'cn=domain.tld' and then use
something like '$1@toupper($2)' in your REGEXP (NOTE: This don't obviosly
work - it's just an illustration!!!).


A quick thinking through this while I checked the mail for obvious errors
'reviled' my own thought - "I have more for other needs"!

Just stack them, one for each realm... Not very easy if you add/remove
realms all the time, but...


Have a look at http://www.bayour.com/LDAPv3-HOWTO.html, there should be
SOMETHING for you...

Follow-Ups:
- Re: Kerberos and simple binds using same password database?
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Kerberos and simple binds using same password database?
  - From: Aleksandar Milivojevic <amilivojevic@pbl.ca>

References:
- Kerberos and simple binds using same password database?
  - From: Aleksandar Milivojevic <amilivojevic@pbl.ca>

Prev by Date: the permission wrong of the database which created by slapindex.
Next by Date: Re: set syntax on acl
Index(es):
- Chronological
- Thread