Earlier I asked a few questions about OpenLDAP authenticating via
Kerberos. I'm going to back up a bit and ask a more general question to
ensure I have an adequate understanding to go further into the details
of a solution.

On a Kerberos list I was asking for a little bit of help, and the answer
I got revealed that maybe I don't understand as much about OpenLDAP's
interaction with Kerberos as I'd thought.

In general, I am trying to authenticate a login and password received
via an OpenLDAP client (in this case SMB via the smbldap-tools) with the
logins and passwords held in a Kerberos server elsewhere. Is this a
legitimate use of these services? Am I thinking about this wrong? If
so, what else do I need to know?

I thought it was possible that I could have an ldap-bind request
referred via SASL/GSSAPI to do a Kerberos authentication.

But on this Kerberos list, here's the response I got.

A KDC does not speak GSSAPI nor SASL. A KDC issues tickets. You use
SASL-GSSAPI-KRB5 when you want to establish an authenticated connection
to an application service for which a service principal exists within
the KDC database. The KDC is not an application service.

As Jeff pointed out, [you can't do that] with GSSAPI. What you might be
looking for is slapd code to take a username and password and do in effect
a kinit and a verify tgt, or have a sasl plugin do it for your. I don't know
of one.

But on an OpenLDAP list I got:

There is an ugly hack: having a userPassword field with "{SASL} principal>" in LDAP you can employ saslauthd's Kerberos backend. We use
it as a crutch for a web application which can only authenticate against
an LDAP directory

Perhaps you can help me understand or reconcile these responses. Maybe
I will come to a better understanding that will help me either come
closer to a solution or rephrase my question in a way that is useful.



Wes Modes
Server Administrator & Programmer Analyst
McHenry Library
Computing & Network Services
Information and Technology Services