[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sasl and clients that do not support it

To: openldap-software@OpenLDAP.org
Subject: Re: sasl and clients that do not support it
From: Thomas Bolioli <tpblists@terranovum.com>
Date: Wed, 27 Apr 2005 16:16:54 -0400
In-reply-to: <426FD802.9070205@symas.com>
References: <426FA2BB.4060501@terranovum.com> <426FD802.9070205@symas.com>
User-agent: Mozilla Thunderbird 1.0.2 (Macintosh/20050317)


Howard Chu wrote:

> Thomas Bolioli wrote:
>
>> I would like to use sasl to connect my clients to ldap via krb5. 
>> However, some clients do not support sasl. Can I do some sort of pass 
>> through of supplied plain text credentials to the kdc to 
>> authenticate? If so, can someone point me in the right direction?
>> Thanks,
>> Tom
>>  
>>
> Yes, but if you're not also using SSL/TLS then your Kerberos passwords 
> will be exposed on the network, thus destroying the security of your 
> Kerberos deployment. In general setting this up is a bad idea.
>
> You must
>    1) include '--enable-spasswd' when configuring OpenLDAP
>    2) set the users' userPassword attribute in LDAP to 
> "{SASL}<kerberos username>"
>    3) configure saslauthd to perform kerberos authentication
>    4) configure slapd to use saslauthd for SASL password verification
>
> See the SASL documentation if you need more help.
>
Is that "{SASL}username@REALM.COM"?
Tom
PS: I plan on using ssl, just as soon as I get it working but I need the
ldap server working so I can bring up cyrus.

References:
- sasl and clients that do not support it
  - From: Thomas Bolioli <tpblists@terranovum.com>
- Re: sasl and clients that do not support it
  - From: Howard Chu <hyc@symas.com>

Prev by Date: sasl and clients that do not support it
Next by Date: Re: Non-numeric OIDs
Index(es):
- Chronological
- Thread