[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Kerberos userpassword storage

To: Indexer <indexer@internode.on.net>
Subject: Re: Kerberos userpassword storage
From: Howard Chu <hyc@symas.com>
Date: Wed, 04 Aug 2010 01:30:48 -0700
Cc: openldap-technical@openldap.org
In-reply-to: <60E6A50E-E124-4CC1-95C6-40D666F9A220@internode.on.net>
References: <60E6A50E-E124-4CC1-95C6-40D666F9A220@internode.on.net>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.3a6pre) Gecko/20100708 Firefox 3.6

Indexer wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Im attempting to use Kerberos as a password storage backend in my ldap server.

I have the server setup with its own principal of the form ldap/domainname@REALM , and this keytab is in the KRB5_KTNAME environment variable as slapd starts.

I have put olcSaslRealm=REALM and olcSaslHost=kdc.domain into my cn=config.

Then, i have uid=user, where the userPassword attribute is {KERBEROS}user@REALM

Who told you to do that? There is no such password scheme in any OpenLDAPdocumentation.

When attempting to bind to this user, it seems to fail. When i reset the password to a standard SSHA hash, it authenticates correctly. I can authenticate with kerberos to the host that the ldap enabled client, but i just cannot use ldap with the kerberos password backend.

Any help in solving what else i need to do in this would be greatly appreciated

William Brown

pgp.mit.edu


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: Kerberos userpassword storage
  - From: Gémes Géza <geza@kzsdabas.hu>

References:
- Kerberos userpassword storage
  - From: Indexer <indexer@internode.on.net>

Prev by Date: Kerberos userpassword storage
Next by Date: what makes client use mech=SIMPLE?
Index(es):
- Chronological
- Thread