On Mon, Jan 7, 2019 at 5:53 PM Dan White <dwhite@cafedemocracy.org> wrote:
On 01/07/19 16:18 -0500, vadud3@gmail.com wrote:
>I am using openldap proxy today with ldap backend.
>
>Any suggestions on how to use kerberos as the backend?
>
>Here is my config (sanitized)
>
>$ cat slapd.conf

>### Database definition (Proxy to AD) #########################################
>database                ldap
>readonly                yes
>protocol-version        3
>rebind-as-user          yes
>uri                     "ldaps://ldap.example.com:1636"
>suffix                  "ou=People,dc=example,dc=net"

I'm not clear on where kerberos authentication fits scenario, but
the two pieces of documentation to start with would be the slapo-ldap
manpage, and the OpenLDAP Software 2.4 Administrator's Guide, section 14.5,
and chapter 15.

If that doesn't adress your question, please provide more detail, including
how your clients authenticate with the proxy server.

I do not see any slapo-ldap in my search for man page in openldap site 

So on my client I like to point to kerberos proxy for authentication. 

Today I am using ldap proxy with -H ldaps://127.0.0.1 and it works fine like below

   ldapsearch -LLL -x -y ~/.ldap-pass -H ldaps://127.0.0.1 uid=foo

And under sssd ldap auth works fine like below

  auth_provider = ldap
  ldap_uri = ldaps://127.0.0.1


I want to start using kerberos setting like below and start using kerberos for authentication

  auth_provider = krb5
  krb5_server = 127.0.0.1:88

But I do not have anything running on port 88




May be I am not understanding how to implement kerberos proxy.

Appreciate any help. 


--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?