[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Kerberos and simple binds using same password database?
Aleksandar Milivojevic wrote:
Turbo Fredriksson wrote:
userPassword: {SASL}turbo@REALM.TLD
That makes "whatever program" to check against Kerberos, via
LDAP->SASL->Kerberos.
[ snip ]
# Regexp for SASL authentication:
sasl-regexp
uid=(.*),cn=domain.tld,cn=gssapi,cn=auth
ldap:///c=SE??sub?(krb5PrincipalName=$1@REALM.TLD)
Extreamly simple (I have more for other needs), but works for me...
I've attempted to use that, chaning domain.tld and REALM.TLD to match
what I have. I understand what basic form of sasl-regexp does, but not
really what the above sasl-regexp will do (haven't found any usable
docs, yet, still looking). Haven't really made any difference with or
without it in my slapd.conf. Same authentication errors...
Should I use that sasl-regex in combination with that userPassword
thingie you wrote about in your previous mail, or?
Ah, of course. It was all in the man page ;-)
Reading and understaning sometimes makes things work ;-)
So, to summarize, what I have for now is:
Among user's attributes (I was missing krb5PrincipalName that search in
sasl-regexp looks for):
userPassword: {SASL}username@EXAMPLE.COM
krb5PrincipalName: username@EXAMPLE.COM
In slapd.conf (for each realm):
sasl-regex
uid=(.*),cn=example.com,cn=gssapi,cn=auth
ldap:///ou=accts,dc=example,dc=com??sub(krb5PrincipalName=$1@EXAMPLE.COM)
Also, I created /usr/lib/sasl2/slapd.conf (this one is needed too):
pwcheck_method: saslauthd
I've checked it with single realm (AD domain), and it works. Well, as
long as saslauthd has access to valid host ticket. Left is to test with
multiple realms (will have to wait until after new year).
One more question. I got this to work for "ldapsearch -x", so no SASL
on client side. If I do just "ldapsearch" (with SASL), it doesn't work.
Not even for PLAIN/LOGIN method (I kind of expected it won't work for
DIGEST-MD5, since slapd doesn't have access to cleartext password). Any
way around it, or is it simple the way things are?
--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7