On 09/09/10 10:21 +0800, Wouter van Marle wrote:
That requires pass-through authentication.
I see. Well with the above instructions nothing seems to have changed. I have restarted saslauthd and slapd after making the changes, and when now accessing the ldap addressbook using Evolution, I still have to use the ldap stored password, not the krb password.
Wouter.
To be a little more explicit, to enable pass-through authentication, you will need to replace the password (userPassword attribute) with:
userPassword: {SASL}username@realm
for instance:
dn: uid=jsmith,dc=example,dc=com ... userPassword: {SASL}jsmith
In this case, the user will have no valid password defined in LDAP (or at least not in the userPassword attribute).
When attempting to perform a non-sasl bind, slapd will use saslauthd to authenticate, by taking the username (from the userPassword field), and the password that was submitted.