I'm noticing this: http://www.openldap.org/lists/openldap-bugs/200701/msg00009.html and wonder what that really means for OpenLDAP and Kerberos. Is there no longer any support in OpenLDAP for Kerberos?
Specifically, I want to use my Kerberos ticket to authenticate to my OpenLDAP directory (anonymous bind does not allow me to view/update my address books for example). Does the above removal mean this is not possible?
If it's still possible, anyone got a good howto they can point me at that's relevant for 2.3.35 and higher?
Thanx, b.
"Brian J. Murrell" brian@interlinx.bc.ca writes:
I'm noticing this: http://www.openldap.org/lists/openldap-bugs/200701/msg00009.html and wonder what that really means for OpenLDAP and Kerberos. Is there no longer any support in OpenLDAP for Kerberos?
No, the correct way of supporting Kerberos is by way of SASL, which OpenLDAP continues to support. Via SASL you can negotiate GSSAPI authentication using Kerberos v5.
kbind was a non-SASL authentication mechanism that predated the much better SASL support and is now obsolete.
On Mon, 2008-02-18 at 14:36 -0800, Russ Allbery wrote:
No, the correct way of supporting Kerberos is by way of SASL, which OpenLDAP continues to support. Via SASL you can negotiate GSSAPI authentication using Kerberos v5.
/me smacks forehead.
Doh! Of course. I seem to have it working now. Unfortunately it doesn't seem many clients (i.e. neither evolution nor GQ) support the use of the GSSAPI SASL method AFAICT. :-(
Thanx much!
b.
"Brian J. Murrell" brian@interlinx.bc.ca writes:
Doh! Of course. I seem to have it working now. Unfortunately it doesn't seem many clients (i.e. neither evolution nor GQ) support the use of the GSSAPI SASL method AFAICT. :-(
Yeah. Most of them didn't support kbind either. The LDAP support in most mail clients is rather horrid.
Brian J. Murrell wrote:
I'm noticing this: http://www.openldap.org/lists/openldap-bugs/200701/msg00009.html and wonder what that really means for OpenLDAP and Kerberos. Is there no longer any support in OpenLDAP for Kerberos?
Kerberos is supported in LDAP using SASL/GSSAPI. The message you referenced above is about the LDAPv2 kbind mechanism, which was obsoleted 10+ years ago.
Brian J. Murrell wrote:
I'm noticing this: http://www.openldap.org/lists/openldap-bugs/200701/msg00009.html and wonder what that really means for OpenLDAP and Kerberos. Is there no longer any support in OpenLDAP for Kerberos?
Specifically, I want to use my Kerberos ticket to authenticate to my OpenLDAP directory
This is still possible with SASL bind using GSSAPI mechanism. Your client application have to support this though.
Ciao, Michael.
openldap-software@openldap.org
-
Brian J. Murrell -
Howard Chu -
Michael Ströder -
Russ Allbery