Wouter van Marle <wou...@squirrel-systems.com> writes: > On Wed, 2010-09-08 at 23:40 -0700, Howard Chu wrote: >> Wouter van Marle wrote: >> > On Wed, 2010-09-08 at 21:34 -0500, Dan White wrote: >> >> On 09/09/10 10:21 +0800, Wouter van Marle wrote: >> >>>> That requires pass-through authentication. >> >>> >> >>> I see. >> >>> Well with the above instructions nothing seems to have changed. >> >>> I have restarted saslauthd and slapd after making the changes, and when >> >>> now accessing the ldap addressbook using Evolution, I still have to use >> >>> the ldap stored password, not the krb password. >> >>> >> >>> Wouter. >> >> >> >> To be a little more explicit, to enable pass-through authentication, you >> >> will need to replace the password (userPassword attribute) with: >> >> >> >> userPassword: {sasl}usern...@realm >> > >> > When I got it working I am considering to write some tutorial - maybe >> > useful. I haven't been able to find anything like it on the internet. >> > The above I have never seen; just once a suggestion to change the >> > password to {KERBEROS}username but well that also didn't work :) >> > >> > It's much harder to get working than I ever expected, really. And even >> > more so I'm surprised that openldap doesn't support this "out of the >> > box", or with some minor settings. >> >> It is not supported out of the box because it's generally the wrong thing to >> do. It is intentionally undocumented, to discourage people from pursuing >> this >> misguided course. Use GSSAPI. > > GSSAPI works: > $ ldapwhoami -h acorn.squirrel > SASL/GSSAPI authentication started > SASL username: wou...@squirrel > SASL SSF: 56 > SASL data security layer installed. > dn:uid=wouter,cn=gssapi,cn=auth
You may add an olcAuthzRegexp in order to map the sasl authentication string to a Distinguished Name. > But for whatever reason I have no option to choose GSSAPI as ldap > authentication method in Evolution. I don't know either, but my evolution shows the GSSAPI mechanism. In fact it shows all on my system available sasl mechanisms. > > And actually now you start calling it "misguided course", I would really > like to know what the proper course is. > > My basic request is: > - no passwords stored in the LDAP database. > - LDAP authenticates users against a Kerberos server. What do you mean by LDAP authenticates users against Kerberos? Authentication is the job of KDC, or do you want to run the Kerberos Database in LDAP? > After a day of googling, searching for terms like the subject of this > thread, I am not really closer to a solution. All solutions that I DID > find were following variations of what I tried to do, and what you call > misguided. As I mentioned already in a previous mail, it is quite simple to set up a kerberized system, just read the installation and administration documents of MIT krb5 and configure network based clients to use GSSAPI. > > The thing that I talked about when I mentioned "support out of the box > or with minor settings" was simply the Kerberos authentication. Why > doesn't that work easily? Why can I not just tell openldap to use > kerberos, be it via PAM, via GSSAPI directly, whatever - the method I > don't care about - as long as it works. And the frustration now is that > it still doesn't work. I think you should get acquainted with principal authentication and authorization models, a LDAP server is just a dumb identity storage system and not a authentication and authorization broker as you seem to expect. -Dieter -- Dieter Klünter | Systemberatung sip: 7770...@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6