Am Fri, 6 Oct 2017 13:43:34 +0200 schrieb Ulrich Tehrani u_tehrani@yahoo.de:
Hi all,
i setup an openldap server which is used as MIT-Kerebros backend.
User-Principals have - besides the kerberos attributes - appropriate objectclasses (e.g. simplesecurityObject, organizationalRole) to make also a simple authentication with the attribut userpassword possible.
To consolidate both credentials i made a setup of SASL-Pasthrough with backend Kerberos. So i set the value of the userpassword attribut to.
{SASL}<user>@<realm> and made the required configurations for the saslauthd.
With this configuration all kind of authentications will use the kerberos-password.
I made various tests but there seems to be an issue with preauthentication in openldap.
I got the follwoing result:
=>testsaslauthd is always working if the preauth flag is on or off
=>ldapsearch -x is only working with preauth-flag disabled.
=> It makes no difference if MIT Kerberos use its normal backend
Keep in mind: For clear testing condtions saslauthd-caching has to be disabled !
Don't use the -c Option in saslauthd - otherwise it could happen that your ldapsearch -x is working because you had success with a former testsaslauthd-command !
Has someone a similar setup which is working with enabled preauth ?
Or does someone know if this is supported or not ?
I use LDAP 2.4.44 with cyrus-sasl-2.1.23.
I had set up such an environment, but in the end a kerberized environment is easier to handle than a multitude of authentication services. For security reason you should not mix User Data and Kerberos Data. I would recommend to set up two different databases.
-Dieter