Re: SASL pass-through autentication with a ldap-backend KDC
Guillaume Rousse a écrit :
Howard Chu a écrit :
> Guillaume Rousse wrote:
>> Hello list.
>>
>> Reading http://www.openldap.org/doc/admin24/security.html#SASL password
>> storage scheme, I understand autentication can be delegated to an
>> external mechanisme. Such as, for instance, a kerberos server. In this
>> case, it is advised to prevent changing passwords in the directory.
>
> That part of the doc appears to be wrong. slapd will call SASL's
> setpass function to change a SASL password, so there's no reason to
> prevent changing passwords via LDAP.
I guess it is just a phrasing issue, and the doc means 'take care users
don't inadvertly rewrite their password attribute with a true password
instead of keeping this pointer'.
Sorry, I just reread it, it's explicitely
stated than slapd doesn't
allow to change password at all. You were right.
[..]
Second, {SMBKRB5} is an optimisation only possible with smbkrb5
overlay,
whereas {SASL} is more generical, but also more expensives, as external
calls are needed.
And from my own tests this morning: {SASL} is a bit more complex
to
setup, but doesn't suffer from the few glitches than {K5KEY} does (See
just reported ITS #5766 and #5767)
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62