Re: ldap simple bind with kerberos passwords

[Howard Chu <hyc@symas.com>]

Karen R McArthur wrote:
> This issue involves ldap-kerberos integration.  I'm not sure if this 
> is a kerberos or an ldap configuration problem so have sent it both to 
> the openldapldap-software and the kerberos lists.
>
> openldap-2.2.15-2; krb5-libs-1.2.5-15; cyrus-sasl-2.1.10-1
>
> Passwords are stored in the kerberos database.  All passwords in ldap 
> are set to {SASL}principle@REALM (I've also tried 
> {KERBEROS}principle@REALM).  All ldap "People" have a kerberos record 
> and also the "krb5Principal" objectClass.
>
> The keytabs ldap/<FQDN>@REALM, host/<FQDN>@REALM, cvs/<FQDN>@REALM, 
> and svn/<FQDN>@REALM all exist.
>
> I can authenticate to all of my Linux servers.  Most of my 
> applications are authenticating with no problems.  However, those 
> application that are not kerberos aware and require a simple ldap bind 
> are not authenticating. (for example, subversion).
>
> Is this an ldap configuration issue?  Or is it kerberos?  Any ideas 
> would be greatly appreciated!
Most likely an LDAP or SASL configuration issue. First you have to make 
sure OpenLDAP was configure'd with --enable-spasswd otherwise {SASL} 
password schemes are ignored. The {KERBEROS} password scheme was dropped 
a long time ago so {SASL} is your only choice. It will only work here if 
you have saslauthd configured to do Kerberos authentication, and you 
must configure slapd to use saslauthd.

I'll note that all of your software versions are quite out of date; 
you'd do well to upgrade to current versions.

--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/