[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Kerberos and simple binds using same password database?
Turbo Fredriksson wrote:
"Aleksandar" == Aleksandar Milivojevic <amilivojevic@pbl.ca> writes:
Aleksandar> Now, the question. Is it possible to configure slapd
Aleksandar> not to use userPassword attribute in this case, but
Aleksandar> rather attempt to check user's password against
Aleksandar> Kerberos? Something "saslauthd -a kerberos5" is
Aleksandar> doing. Or (more general) to use saslauthd to perform
Aleksandar> password checking (which can check it against Kerberos
Aleksandar> database).
Eh, ?
userPassword: {SASL}turbo@REALM.TLD
That makes "whatever program" to check against Kerberos, via
LDAP->SASL->Kerberos.
Hmmm... I was very happy when I read this, because this was exactly
what I needed. However, when I attempted to set userPassword attribute
as you suggested to {SASL}username@REALM and than to bind with
ldapsearch -x -D 'uid=...,ou=...,dc=foobar,dc=com' -W and so on, I got
"ldap_bind: Invalid credentials (49)" error. Running tcpdump showed no
traffic between slapd and Kerberos KDC. Meaning slapd hasn't attempted
to verify password on Kerberos server.
Aleksandar> I guess for this to work, an opposite of sasl-regexp
Aleksandar> option would need to exist (to map LDAP entity to
Aleksandar> Kerberos user@realm type of entity), but I couldn't
Aleksandar> find anything like that. Which makes me to believe it
Aleksandar> might not be possible to do.
# Regexp for SASL authentication:
sasl-regexp
uid=(.*),cn=domain.tld,cn=gssapi,cn=auth
ldap:///c=SE??sub?(krb5PrincipalName=$1@REALM.TLD)
Extreamly simple (I have more for other needs), but works for me...
I've attempted to use that, chaning domain.tld and REALM.TLD to match
what I have. I understand what basic form of sasl-regexp does, but not
really what the above sasl-regexp will do (haven't found any usable
docs, yet, still looking). Haven't really made any difference with or
without it in my slapd.conf. Same authentication errors...
Should I use that sasl-regex in combination with that userPassword
thingie you wrote about in your previous mail, or?
Aleksandar> Kerberos realms (plural) that users are in are part of
Aleksandar> several Active Directory domains, so technically,
Aleksandar> passwords are already stored in AD's LDAP database and
Aleksandar> they need to stay there.
Oh, plural... That changes things. I don't know if there is a 'toupper()'
thingie for REGEXP, but if you can find one (I really suck at REGEXP :)
you could use 'cn=(.*)' instead of 'cn=domain.tld' and then use
something like '$1@toupper($2)' in your REGEXP (NOTE: This don't obviosly
work - it's just an illustration!!!).
A quick thinking through this while I checked the mail for obvious errors
'reviled' my own thought - "I have more for other needs"!
Just stack them, one for each realm... Not very easy if you add/remove
realms all the time, but...
You are saying here that I can have multiple sasl-regexp lines, and
first that match will be applied, or? If yes, than this could work for
me, as realms I have are not likely to change in the near future.
Have a look at http://www.bayour.com/LDAPv3-HOWTO.html, there should be
SOMETHING for you...
Actually, I had a look there. Google already found it for me ;-)
Off topic, formatting on the page is not right when viewing it with
Mozilla Firefox (on Fedora Core 3). Not sure if it is something you
have in the HTML/CSS, or bug in Firefox rendering, but some small parts
of text are not readable at all (overlapping text), and some formatting
looks a bit odd (but perfectly readable, and folks with poor sight might
even appriciate it ;-) ), as if font style that was supposed to be
applied to "I've decided to sell the book as is" box, was applied to the
rest of the document.
--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7