[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Authenticate to ldap using Kerberos
On Wed, 2010-09-08 at 23:40 -0700, Howard Chu wrote:
> Wouter van Marle wrote:
> > On Wed, 2010-09-08 at 21:34 -0500, Dan White wrote:
> >> On 09/09/10 10:21 +0800, Wouter van Marle wrote:
> >>>> That requires pass-through authentication.
> >>>
> >>> I see.
> >>> Well with the above instructions nothing seems to have changed.
> >>> I have restarted saslauthd and slapd after making the changes, and when
> >>> now accessing the ldap addressbook using Evolution, I still have to use
> >>> the ldap stored password, not the krb password.
> >>>
> >>> Wouter.
> >>
> >> To be a little more explicit, to enable pass-through authentication, you
> >> will need to replace the password (userPassword attribute) with:
> >>
> >> userPassword: {SASL}username@realm
> >
> > When I got it working I am considering to write some tutorial - maybe
> > useful. I haven't been able to find anything like it on the internet.
> > The above I have never seen; just once a suggestion to change the
> > password to {KERBEROS}username but well that also didn't work :)
> >
> > It's much harder to get working than I ever expected, really. And even
> > more so I'm surprised that openldap doesn't support this "out of the
> > box", or with some minor settings.
>
> It is not supported out of the box because it's generally the wrong thing to
> do. It is intentionally undocumented, to discourage people from pursuing this
> misguided course. Use GSSAPI.
GSSAPI works:
$ ldapwhoami -h acorn.squirrel
SASL/GSSAPI authentication started
SASL username: wouter@SQUIRREL
SASL SSF: 56
SASL data security layer installed.
dn:uid=wouter,cn=gssapi,cn=auth
But for whatever reason I have no option to choose GSSAPI as ldap
authentication method in Evolution.
And actually now you start calling it "misguided course", I would really
like to know what the proper course is.
My basic request is:
- no passwords stored in the LDAP database.
- LDAP authenticates users against a Kerberos server.
After a day of googling, searching for terms like the subject of this
thread, I am not really closer to a solution. All solutions that I DID
find were following variations of what I tried to do, and what you call
misguided.
The thing that I talked about when I mentioned "support out of the box
or with minor settings" was simply the Kerberos authentication. Why
doesn't that work easily? Why can I not just tell openldap to use
kerberos, be it via PAM, via GSSAPI directly, whatever - the method I
don't care about - as long as it works. And the frustration now is that
it still doesn't work.
Wouter.