Re: Kerberos with LDAP backend: password sync

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Friday, July 22, 2011 9:03 PM +0300 Nick Milas <nick@eurobjects.com> 
wrote:

> On 21/7/2011 10:23 ÎÎ, Dan White wrote:
>
> > A simpler approach, and one that works with non-SASL binds, would be to
> > configure pass-through authentication and perform saslauthd/kerberos5
> > authentication. As users change their passwords (against your kerberos
> > server, via some unspecified process), you could replace their
> > userPassword
> > entries with {SASL}user@realm (as described in the Admin guide) and do
> > away
> > with hashed password entries altogether.
>
> If I follow this model, according to the documentation:
>
>     "Where an entry has a "{SASL}" password value, OpenLDAP delegates
>     the whole process of validating that entry's password to Cyrus SASL."
>
> Supposing that we configure SASL to use Kerberos5 authentication, will
> our current standard applications (Postfix, Dovecot, Shibboleth, Apache
> etc.) need to be configured to include GSSAPI SASL method?

No.  If you use pass-through authentication like this, then your LDAP 
server is specifically NOT using SASL/GSSAPI, but passing the credentials 
THROUGH.  I.e., you still bind with a username and password to LDAP, which 
then authenticates that against the KDC.

--Quanah

--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra ::  the leader in open source messaging and collaboration