Da Rock wrote:
On Thu, 2009-03-05 at 02:43 +0100, Michael Ströder wrote:
Da Rock wrote:
I'm not sure you quite understand what I mean here-
I think I do. ;-)
There's no reason why you shouldn't be able to do the following:
LDAP Client --ldap:// with SASL/GSSAPI--> slapd --KRB5--> heimdal KDC --ldapi:// with SASL/EXTERNAL--> slapd
In fact the picture is a bit more complicated but I'm too tired to draw the real one. Hope you get the idea.
Actually thats very well presented- at least I get what your saying.
A hiccup here is that I mean that there is no ldap client- yet. I'm talking about at startup, slapd looks to authenticate with kerberos as a service
??? No, slapd does no such thing, that's not how Kerberos works.
Only Kerberos clients talk to the KDC. A Kerberized server only needs a keytab containing its principal name and current key. Those items can be generated by the KDC talking to slapd over SASL/EXTERNAL. Certainly slapd will be unable to perform GSSAPI authentication for any other LDAP clients until this step is completed, but it only happens once.
And this is true regardless of what your KDC uses as a backing store. Which again brings us back to the point of why the OpenLDAP docs expect you to already understand Kerberos before touching the subject here. If you don't already understand Kerberos, it's pointless to discuss it here (because this is an *LDAP* forum not a Kerberos forum) and when you *do* understand Kerberos, there's nothing more that needs to be explained.