[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to ldap using Kerberos



Wouter van Marle <wouter@squirrel-systems.com> writes:

> Hi group,
>
> I have been fighting the whole day already for something that I think
> is quite simple but I just can't get it to work: have slapd
> authenticate users against kerberos. Following many tutorials, trying
> many things, I give up on that and ask for your help.
>
> System: Debian Lenny.
>
> Situation:
> - workstation logins over the network authenticate against kerberos
> - credentials from LDAP
> - postfix has its alias database etc in LDAP, as are the groups and
> userIDs and everything - helps keeping uids the same on the
> workstations. Essential for NFS.
> - anything using pam will be authenticated against kerberos, including
> imap, postfix, etc.
>
> Except LDAP. Then slapd authenticates by itself against the password
> stored there. And that's not what I want. There should be no passwords
> in LDAP any more, everything against kerberos. Then at least when a
> user changes their kerberos password, the same password is used
> everywhere. I just can't get this to work for some reason. I have
> followed many tutorials, so many that I forgot what I did, and it
> still doesn't work.
>
> Slapd should use pam to authenticate, or directly talk to the kerberos
> server, whatever.
>
> saslauthd has the gssapi module installed.

[...]

Why did you design such a complicated setup?
postfix supports sasl mechanism GSSAPI,
openldap supports sasl mechanism GSSAPI,
cyrus-imap supports sasl mechanism GSSAPI,
ssh supports GSSAPI,
pam login should use unix2 which supports GSSAPI.

saslauthd is not required, nor is a userpassword attribute value
required in DIT.
Just setup a proper kerberos V5 environment, create service principals,
host pricipals and user principals, and configure clients to use
either native krb5 implementation or GSSAPI mechanism.

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: 7770535@sipgate.de 
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6