Re: Help with SASL/GSSAPI to remote Kerberos server - Kerberos

This is a discussion on Re: Help with SASL/GSSAPI to remote Kerberos server - Kerberos ; Wes Modes wrote: > Reason for this is that eventually, our campus kerberos > service will be replaced with a secure LDAP auth. OH! Are you sure this is a good idea? (This is the Kerberos list) Are you looking ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Help with SASL/GSSAPI to remote Kerberos server

  1. Re: Help with SASL/GSSAPI to remote Kerberos server

    Wes Modes wrote:
    > Reason for this is that eventually, our campus kerberos
    > service will be replaced with a secure LDAP auth.


    OH! Are you sure this is a good idea? (This is the Kerberos list)
    Are you looking at Samba or AD as the LDAP server? If so they both
    have Kerberos (Samba 4 does at least) So you may want to look
    a little further down the road before dropping Kerberos.

    >
    > But it remains an open question for me whether it is possible to have
    > Samba/smbldap-tools ask LDAP/GSSAPI which indirectly asks Kerberos for
    > authentication.


    As Jeff pointed out, not with GSSAPI. What you might be looking for
    is slapd code to take a username and password and do in effect a kinit
    and a verify tgt, or have a sasl plugin do it for your. I don't know
    of one.

    You might want to ask on a sasl list, or OpenLDAP list. You will
    not get much help on a Kerberos list, as the intent of Kerberos is
    to never send the password over the network.

    --

    Douglas E. Engert
    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois 60439
    (630) 252-5444

  2. Re: Help with SASL/GSSAPI to remote Kerberos server

    "Douglas E. Engert" writes:

    > As Jeff pointed out, not with GSSAPI. What you might be looking for
    > is slapd code to take a username and password and do in effect a kinit
    > and a verify tgt, or have a sasl plugin do it for your. I don't know
    > of one.


    There is an ugly hack: having a userPassword field with "{SASL} principal>" in LDAP you can employ saslauthd's Kerberos backend. We use
    it as a crutch for a web application which can only authenticate against
    an LDAP directory (*cough* Zope *cough*).


    Sebastian

+ Reply to Thread