That is very close, though I'll make one minor correction.

>From Samba to OpenLDAP via TLS uses smbldap-tools and doesn't need

SASL. SASL with the GSSAPI mechanism will be what is used when the LDAP
server asks the Kerberos KDC if the password is valid.

Jeffrey Altman wrote:
> Let me rephrase what you are attempting to do. You want to
> authenticate the LDAP query from the Samba client to the OpenLDAP
> server by sending a username and password from Samba to OpenLDAP over
> a TLS protected connection using SASL.
> Instead of the LDAP server storing the password and using that for
> authentication, you want to have the LDAP server ask the Kerberos KDC
> if the password is valid.
> Please confirm that this is your desire.


Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services