From: pkoelle <pkoelle@gmail.com>
To: Manel Euro <euro_32@hotmail.com>
CC: openldap-software@OpenLDAP.org
Subject: Re: Ldap kerberos ticket - GSSAPI
Date: Wed, 30 Mar 2005 11:28:29 +0200
Manel Euro wrote:
1st- SASL/gssapi
2nd- pass throught authentication - userPASSWORD: {sasl}user@REALM-COM and
saslauthd
I am using the first one. So, in this method when the kerberos ticket is
presented to the slapd, slapd maps this kerberos principal to the
*corresponding* directory DN. On this case, the principal
testePac@EXAMPLE.NET does not have an entry on the directory. Therefore,
according to what I have understood, this user shout not get a Kerberos
TGS to LDAP.
No, the KDC issuing tickets has no idea about what's in your directory.
Kerberos is just a means to prove identity to the DSA, not authorization.