Re: Openldap, kerberos backend, and SASL
Da Rock wrote:
On Thu, 2009-03-05 at 02:43 +0100, Michael Ströder wrote:
> Da Rock wrote:
>> I'm not sure you quite understand what I mean here-
> I think I do. ;-)
>
> There's no reason why you shouldn't be able to do the following:
>
> LDAP Client
> --ldap:// with SASL/GSSAPI--> slapd
> --KRB5--> heimdal KDC
> --ldapi:// with SASL/EXTERNAL--> slapd
>
> In fact the picture is a bit more complicated but I'm too tired to draw
> the real one. Hope you get the idea.
Actually thats very well presented- at least I get what your saying.
A hiccup here is that I mean that there is no ldap client- yet. I'm
talking about at startup, slapd looks to authenticate with kerberos as a
service
??? No, slapd does no such thing, that's not how Kerberos works.
Only Kerberos clients talk to the KDC. A Kerberized server only needs a keytab
containing its principal name and current key. Those items can be generated by
the KDC talking to slapd over SASL/EXTERNAL. Certainly slapd will be unable to
perform GSSAPI authentication for any other LDAP clients until this step is
completed, but it only happens once.
And this is true regardless of what your KDC uses as a backing store. Which
again brings us back to the point of why the OpenLDAP docs expect you to
already understand Kerberos before touching the subject here. If you don't
already understand Kerberos, it's pointless to discuss it here (because this
is an *LDAP* forum not a Kerberos forum) and when you *do* understand
Kerberos, there's nothing more that needs to be explained.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/