userPassword: {KERBEROS}/{SASL} help!

[Lewis Thompson <purple@fajita.org>]

Hi,

I have OpenLDAP 2.2 configured to store NIS-like information.  I use
pam_krb5 for authentication against Kerberos.  This works.

However, I want to allow people to connect to the LDAP server for
information such as email addresses and the like using their username
and Kerberos password.

I have searched quite a lot to find out how to do this with ``broken''
software (really software that just doesn't understand SASL or GSSAPI)
and it seems to be through setting userPassword to {KERBEROS}principal@REALM
or {SASL}...

I've read through a thread on this list from 2003
(http://www.openldap.org/lists/openldap-software/200308/msg00114.html)
which was very helpful.  What struck me was a comment that said if a
Kerberos password ever travels across the network it entirely defeats
Kerberos.  I understand this well but I think it is more important for
me to provide a single password that works everywhere.

I think I could eventually set up OpenLDAP to use this userPassword hack.
I also know that LDAP is not designed for storing passwords.  However,
since my goal is a single password and not an ultra-secure single-sign
on system (well, I'd like this but I have to make a compromise) I wonder
if storing the password as a hash in OpenLDAP is perhaps more sensible
than abusing Kerberos in this way.

All LDAP communication is done via SSL/TLS and I have a number of things
that currently do not support SASL.  I see no reason to continue (ab|u)sing
Kerberos in this way -- I want to know if there is something I am
missing or should I scrap Kerberos and switch to storing passwords in
LDAP right now.

Thank you,

-Lewis Thompson.

-- 
I was so much older then, I'm younger than that now.  --Bob Dylan, 1964.
-| msn:lewiz@fajita.org | jabber:lewiz@jabber.org | url:www.lewiz.org |-