[Date Prev][Date Next] [Chronological] [Thread] [Top]

MIT Kerberos5+ SASL+ OpenLdap



Hello,


I am having some problems related with kerberos5, cyrus-sasl and openldap.
A coleague of mine has a different understanding that I do so I would like to hear some opinions.


Here is what I have achieved:

Configured realm ABC.COM on machine server1 (MIT KERBEROS KDC).
Configured Openldap on machine server1 dc=abc,dc=com.
Installed Cyrus-sasl on machine server1 so openldap could use it.
Configured pam on machine client 1 (so it gets authorization from ldap and authentication from Kerberos)


Each user has the following parameters:

dn: uid=userA,ou=People,dc=abc,dc=com
krb5KeyVersionNumber: 1
loginShell: /bin/bash
krb5PrincipalName: userA@ABC.COM
krb5MaxRenew: 604800
gidNumber: 600
uidNumber: 505
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: krb5Principal
objectClass: krb5KDCEntry
uid: userA
cn: userA
homeDirectory: /afs/abc.com/home/userA
krb5MaxLife: 86400

My question is:

Is the user information correct or does it have to be like the following:

dn: uid=userA,ou=People,dc=abc,dc=com
krb5KeyVersionNumber: 1
loginShell: /bin/bash
krb5PrincipalName: userA@ABC.COM
krb5MaxRenew: 604800
gidNumber: 600
uidNumber: 505
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: krb5Principal
objectClass: krb5KDCEntry
uid: userA
cn: userA
homeDirectory: /afs/abc.com/home/userA
krb5MaxLife: 86400
userPassword:: {KERBEROS}userA@ABC.COM

In my current configuration I don't have a userPassword field. I believe that cyrus-sasl (gssapi) gets the information from my ticket and converts it to my dn. So, this way, I don't need to have a userPassword field.

Having this said, is there a need for the krb5MaxRenew: 604800 and krb5PrincipalName: fields at all?

For instance:

[root@server1]# ldapsearch
SASL/GSSAPI authentication started
SASL username: ldapadmin@ABC.COM
SASL SSF: 56
SASL installing layers

Finaly,  Do I need to configure saslauthd?


Best regards,

M.

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/