[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP to Kerberos, Take 2
- To: Wes Modes <wmodes@ucsc.edu>
- Subject: Re: OpenLDAP to Kerberos, Take 2
- From: Michael Ströder <michael@stroeder.com>
- Date: Sat, 01 Mar 2008 13:32:43 +0100
- Cc: openldap-technical@openldap.org
- In-reply-to: <47C86A6B.6000106@ucsc.edu>
- References: <47BB72A7.9060205@ucsc.edu> <47BBB668.5050504@symas.com> <47C86A6B.6000106@ucsc.edu>
- User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080201 SeaMonkey/1.1.8
Wes Modes wrote:
In general, I am trying to authenticate a login and password received
via an OpenLDAP client (in this case SMB via the smbldap-tools)
Strictly speaking smbldap-tools is not an OpenLDAP client. It's a
separate software not implemented by the OpenLDAP project.
See also these links found with Google:
https://gna.org/projects/smbldap-tools/
http://www.iallanis.info/smbldap-tools/docs/smbldap-tools/
with the logins and passwords held in a Kerberos server
elsewhere.
I don't know smbldap-tools. But I'm not sure if the user invoking
the tools is really the user who accesses the OpenLDAP server.
Could it be that the user accessing the OpenLDAP server is a
pre-configured demon user account in the LDAP server which acts on
behalf of the user?
I thought it was possible that I could have an ldap-bind request
referred via SASL/GSSAPI to do a Kerberos authentication.
Depends on what the smbldap-tools are capable to do.
But on the Kerberos list, here's the response I got.
A KDC does not speak GSSAPI nor SASL. A KDC issues tickets. You use
SASL-GSSAPI-KRB5 when you want to establish an authenticated connection
to an application service for which a service principal exists within
the KDC database. The KDC is not an application service.
As Jeff pointed out, [you can't do that] with GSSAPI. What you might be
looking for is slapd code to take a username and password and do in effect
a kinit and a verify tgt, or have a sasl plugin do it for your. I don't know
of one.
You have to check whether the smbldap-tools are capable of
authenticating as the user who started the tools with SASL bind
with GSSAPI mech using the TGT the user obtained from the KDC
before (via kinit).
Glancing over the docs I doubt it works that way:
http://www.iallanis.info/smbldap-tools/docs/smbldap-tools/#htoc12
But I don't know the software. Check yourself more thoroughly...
Ciao, Michael.
--
Michael Ströder
E-Mail: michael@stroeder.com
http://www.stroeder.com