[Date Prev][Date Next] [Chronological] [Thread] [Top]

MIT Kerberos5+ SASL+ OpenLdap

To: openldap-software@OpenLDAP.org
Subject: MIT Kerberos5+ SASL+ OpenLdap
From: "Manel Euro" <euro_32@hotmail.com>
Date: Wed, 18 May 2005 16:45:55 +0000

Hello,

I am having some problems related with kerberos5, cyrus-sasl and openldap. A coleague of mine has a different understanding that I do so I would like to hear some opinions.

Here is what I have achieved:

Configured realm ABC.COM on machine server1 (MIT KERBEROS KDC). Configured Openldap on machine server1 dc=abc,dc=com. Installed Cyrus-sasl on machine server1 so openldap could use it. Configured pam on machine client 1 (so it gets authorization from ldap and authentication from Kerberos)

Each user has the following parameters:

dn: uid=userA,ou=People,dc=abc,dc=com
krb5KeyVersionNumber: 1
loginShell: /bin/bash
krb5PrincipalName: userA@ABC.COM
krb5MaxRenew: 604800
gidNumber: 600
uidNumber: 505
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: krb5Principal
objectClass: krb5KDCEntry
uid: userA
cn: userA
homeDirectory: /afs/abc.com/home/userA
krb5MaxLife: 86400

My question is:

Is the user information correct or does it have to be like the following:

dn: uid=userA,ou=People,dc=abc,dc=com
krb5KeyVersionNumber: 1
loginShell: /bin/bash
krb5PrincipalName: userA@ABC.COM
krb5MaxRenew: 604800
gidNumber: 600
uidNumber: 505
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: krb5Principal
objectClass: krb5KDCEntry
uid: userA
cn: userA
homeDirectory: /afs/abc.com/home/userA
krb5MaxLife: 86400
userPassword:: {KERBEROS}userA@ABC.COM

In my current configuration I don't have a userPassword field. I believe that cyrus-sasl (gssapi) gets the information from my ticket and converts it to my dn. So, this way, I don't need to have a userPassword field.

Having this said, is there a need for the krb5MaxRenew: 604800 and krb5PrincipalName: fields at all?

For instance:

[root@server1]# ldapsearch
SASL/GSSAPI authentication started
SASL username: ldapadmin@ABC.COM
SASL SSF: 56
SASL installing layers

Finaly,  Do I need to configure saslauthd?


Best regards,

M.

_________________________________________________________________ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/

Follow-Ups:
- Re: MIT Kerberos5+ SASL+ OpenLdap
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: schemacheck and structuralObjectClass
Next by Date: Re: MIT Kerberos5+ SASL+ OpenLdap
Index(es):
- Chronological
- Thread