[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
MIT Kerberos5+ SASL+ OpenLdap
Hello,
I am having some problems related with kerberos5, cyrus-sasl and openldap.
A coleague of mine has a different understanding that I do so I would like
to hear some opinions.
Here is what I have achieved:
Configured realm ABC.COM on machine server1 (MIT KERBEROS KDC).
Configured Openldap on machine server1 dc=abc,dc=com.
Installed Cyrus-sasl on machine server1 so openldap could use it.
Configured pam on machine client 1 (so it gets authorization from ldap and
authentication from Kerberos)
Each user has the following parameters:
dn: uid=userA,ou=People,dc=abc,dc=com
krb5KeyVersionNumber: 1
loginShell: /bin/bash
krb5PrincipalName: userA@ABC.COM
krb5MaxRenew: 604800
gidNumber: 600
uidNumber: 505
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: krb5Principal
objectClass: krb5KDCEntry
uid: userA
cn: userA
homeDirectory: /afs/abc.com/home/userA
krb5MaxLife: 86400
My question is:
Is the user information correct or does it have to be like the following:
dn: uid=userA,ou=People,dc=abc,dc=com
krb5KeyVersionNumber: 1
loginShell: /bin/bash
krb5PrincipalName: userA@ABC.COM
krb5MaxRenew: 604800
gidNumber: 600
uidNumber: 505
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: krb5Principal
objectClass: krb5KDCEntry
uid: userA
cn: userA
homeDirectory: /afs/abc.com/home/userA
krb5MaxLife: 86400
userPassword:: {KERBEROS}userA@ABC.COM
In my current configuration I don't have a userPassword field. I believe
that cyrus-sasl (gssapi) gets the information from my ticket and converts it
to my dn. So, this way, I don't need to have a userPassword field.
Having this said, is there a need for the krb5MaxRenew: 604800 and
krb5PrincipalName: fields at all?
For instance:
[root@server1]# ldapsearch
SASL/GSSAPI authentication started
SASL username: ldapadmin@ABC.COM
SASL SSF: 56
SASL installing layers
Finaly, Do I need to configure saslauthd?
Best regards,
M.
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/