Howard Chu wrote:
Dan White wrote:
On 12/28/14 11:24 -0500, Brendan Kearney wrote:
On Sun, 2014-12-28 at 02:50 +0000, Howard Chu wrote:
Brendan Kearney wrote:
i want to use the "pass-through" auth mechanism with sasl, so that i validate credentials against the kerberos database, and not have to maintain passwords in multiple places.
ok, then i have misunderstood PLAIN vs SIMPLE, it seems. i will back up and explain what i am trying to do.
apache, dhcp and freeradius can all use ldap for various functionality. they all use what i now believe to be SIMPLE auth, where they are using "cn=user,dc=domain,dc=tld" as ldap usernames. these processes are using ldap for authentication, whereas i have only kerberos authentication setup in my environment (and ldap authorization). my hope was that sasl could allow me to push the ldap authN request through to kerberos, and in essence proxy the authentication.
This is a valid use of pass-through in my opinion,
Too many moving parts, and all unnecessary.
I agree here but..
He already has his KDC data stored in LDAP, he should just use {K5KEY} password scheme and be done with it.
..AFAIK this requires using slapo-smbk5pwd which only works with heimdal's libs and KDC schema.
I guess Fedora does not ship OpenLDAP builds with slapo-smbk5pwd and it definitely uses MIT Kerberos.
Ciao, Michael.