[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl and clients that do not support it

To: Thomas Bolioli <tpblists@terranovum.com>
Subject: Re: sasl and clients that do not support it
From: Howard Chu <hyc@symas.com>
Date: Wed, 27 Apr 2005 11:20:50 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <426FA2BB.4060501@terranovum.com>
References: <426FA2BB.4060501@terranovum.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2) Gecko/20050419

Thomas Bolioli wrote:

I would like to use sasl to connect my clients to ldap via krb5. However, some clients do not support sasl. Can I do some sort of pass through of supplied plain text credentials to the kdc to authenticate? If so, can someone point me in the right direction? Thanks, Tom

Yes, but if you're not also using SSL/TLS then your Kerberos passwords will be exposed on the network, thus destroying the security of your Kerberos deployment. In general setting this up is a bad idea.

You must 1) include '--enable-spasswd' when configuring OpenLDAP 2) set the users' userPassword attribute in LDAP to "{SASL}<kerberos username>" 3) configure saslauthd to perform kerberos authentication 4) configure slapd to use saslauthd for SASL password verification

See the SASL documentation if you need more help.

--
 -- Howard Chu
 Chief Architect, Symas Corp.       Director, Highland Sun
 http://www.symas.com               http://highlandsun.com/hyc
 Symas: Premier OpenSource Development and Support

Follow-Ups:
- Re: sasl and clients that do not support it
  - From: Thomas Bolioli <tpblists@terranovum.com>

References:
- sasl and clients that do not support it
  - From: Thomas Bolioli <tpblists@terranovum.com>

Prev by Date: Re: Non-numeric OIDs
Next by Date: Re: Non-numeric OIDs; iPlanet->openLDAP
Index(es):
- Chronological
- Thread