Wouter van Marle wouter@squirrel-systems.com writes:
Hi group,
I have been fighting the whole day already for something that I think is quite simple but I just can't get it to work: have slapd authenticate users against kerberos. Following many tutorials, trying many things, I give up on that and ask for your help.
System: Debian Lenny.
Situation:
- workstation logins over the network authenticate against kerberos
- credentials from LDAP
- postfix has its alias database etc in LDAP, as are the groups and
userIDs and everything - helps keeping uids the same on the workstations. Essential for NFS.
- anything using pam will be authenticated against kerberos, including
imap, postfix, etc.
Except LDAP. Then slapd authenticates by itself against the password stored there. And that's not what I want. There should be no passwords in LDAP any more, everything against kerberos. Then at least when a user changes their kerberos password, the same password is used everywhere. I just can't get this to work for some reason. I have followed many tutorials, so many that I forgot what I did, and it still doesn't work.
Slapd should use pam to authenticate, or directly talk to the kerberos server, whatever.
saslauthd has the gssapi module installed.
[...]
Why did you design such a complicated setup? postfix supports sasl mechanism GSSAPI, openldap supports sasl mechanism GSSAPI, cyrus-imap supports sasl mechanism GSSAPI, ssh supports GSSAPI, pam login should use unix2 which supports GSSAPI.
saslauthd is not required, nor is a userpassword attribute value required in DIT. Just setup a proper kerberos V5 environment, create service principals, host pricipals and user principals, and configure clients to use either native krb5 implementation or GSSAPI mechanism.
-Dieter