Earlier I asked a few questions about OpenLDAP authenticating via Kerberos. I'm going to back up a bit and ask a more general question to ensure I have an adequate understanding to go further into the details of a solution.
On a Kerberos list I was asking for a little bit of help, and the answer I got revealed that maybe I don't understand as much about OpenLDAP's interaction with Kerberos as I'd thought.
In general, I am trying to authenticate a login and password received via an OpenLDAP client (in this case SMB via the smbldap-tools) with the logins and passwords held in a Kerberos server elsewhere. Is this a legitimate use of these services? Am I thinking about this wrong? If so, what else do I need to know?
I thought it was possible that I could have an ldap-bind request referred via SASL/GSSAPI to do a Kerberos authentication.
But on the Kerberos list, here's the response I got.
A KDC does not speak GSSAPI nor SASL. A KDC issues tickets. You use SASL-GSSAPI-KRB5 when you want to establish an authenticated connection to an application service for which a service principal exists within the KDC database. The KDC is not an application service.
As Jeff pointed out, [you can't do that] with GSSAPI. What you might be looking for is slapd code to take a username and password and do in effect a kinit and a verify tgt, or have a sasl plugin do it for your. I don't know of one.
And on this OpenLDAP list I got:
There is an ugly hack: having a userPassword field with "{SASL}<Kerberos principal>" in LDAP you can employ saslauthd's Kerberos backend. We use it as a crutch for a web application which can only authenticate against an LDAP directory
Perhaps you can help me understand or reconcile these responses.
Thanks.
Wes
Wes Modes Server Administrator & Programmer Analyst McHenry Library Computing & Network Services Information and Technology Services 459-5208