Re: GSSAPI vs GSS-SPNEGO

On 12/28/14 11:24 -0500, Brendan Kearney wrote: >On Sun, 2014-12-28 at 02:50 +0000, Howard Chu wrote: >> Brendan Kearney wrote: >> > i want to use the "pass-through" auth mechanism with sasl, so that i >> > validate credentials against the kerberos database, and not have to >> > maintain passwords in multiple places. > >ok, then i have misunderstood PLAIN vs SIMPLE, it seems. i will back up >and explain what i am trying to do. > >apache, dhcp and freeradius can all use ldap for various functionality. >they all use what i now believe to be SIMPLE auth, where they are using >"cn=user,dc=domain,dc=tld" as ldap usernames. these processes are using >ldap for authentication, whereas i have only kerberos authentication >setup in my environment (and ldap authorization). my hope was that sasl >could allow me to push the ldap authN request through to kerberos, and >in essence proxy the authentication. This is a valid use of pass-through in my opinion, but you'll want to protect the authentication as Howard mentioned over ldapi:/// ideally, or tls otherwise. pass-through does not require that you advertise any other sasl mechanisms, such as plain, since it does not involve sasl over the wire. To use, see: http://www.openldap.org/doc/admin24/security.html#Pass-Through%20authenti... Add 'pwcheck_method: saslauthd' to your libsasl slapd.conf file, and should need nothing else unless you're using a non standard location for your saslauthd mux. Verify that your slapd user has permissions to access the saslauthd mux, and verify your saslauthd config with testsaslauthd.