|
Earlier I asked a few
questions about OpenLDAP authenticating via Kerberos. I'm going to
back up a bit and ask a more general question to ensure I have an
adequate understanding to go further into the details of a solution. On a Kerberos list I was asking for a little bit of help, and the answer I got revealed that maybe I don't understand as much about OpenLDAP's interaction with Kerberos as I'd thought. In general, I am trying to authenticate a login and password received via an OpenLDAP client (in this case SMB via the smbldap-tools) with the logins and passwords held in a Kerberos server elsewhere. Is this a legitimate use of these services? Am I thinking about this wrong? If so, what else do I need to know? I thought it was possible that I could have an ldap-bind request referred via SASL/GSSAPI to do a Kerberos authentication. But on the Kerberos list, here's the response I got. And on this OpenLDAP list I got:A KDC does not speak GSSAPI nor SASL. A KDC issues tickets. You use SASL-GSSAPI-KRB5 when you want to establish an authenticated connection to an application service for which a service principal exists within the KDC database. The KDC is not an application service. As Jeff pointed out, [you can't do that] with GSSAPI. What you might be looking for is slapd code to take a username and password and do in effect a kinit and a verify tgt, or have a sasl plugin do it for your. I don't know of one.
Perhaps you can help me
understand or reconcile these responses. Thanks. Wes Wes Modes Server Administrator & Programmer Analyst McHenry Library Computing & Network Services Information and Technology Services 459-5208 |