Wouter van Marle wouter@squirrel-systems.com writes:
On Wed, 2010-09-08 at 23:40 -0700, Howard Chu wrote:
Wouter van Marle wrote:
On Wed, 2010-09-08 at 21:34 -0500, Dan White wrote:
On 09/09/10 10:21 +0800, Wouter van Marle wrote:
That requires pass-through authentication.
I see. Well with the above instructions nothing seems to have changed. I have restarted saslauthd and slapd after making the changes, and when now accessing the ldap addressbook using Evolution, I still have to use the ldap stored password, not the krb password.
Wouter.
To be a little more explicit, to enable pass-through authentication, you will need to replace the password (userPassword attribute) with:
userPassword: {SASL}username@realm
When I got it working I am considering to write some tutorial - maybe useful. I haven't been able to find anything like it on the internet. The above I have never seen; just once a suggestion to change the password to {KERBEROS}username but well that also didn't work :)
It's much harder to get working than I ever expected, really. And even more so I'm surprised that openldap doesn't support this "out of the box", or with some minor settings.
It is not supported out of the box because it's generally the wrong thing to do. It is intentionally undocumented, to discourage people from pursuing this misguided course. Use GSSAPI.
GSSAPI works: $ ldapwhoami -h acorn.squirrel SASL/GSSAPI authentication started SASL username: wouter@SQUIRREL SASL SSF: 56 SASL data security layer installed. dn:uid=wouter,cn=gssapi,cn=auth
You may add an olcAuthzRegexp in order to map the sasl authentication string to a Distinguished Name.
But for whatever reason I have no option to choose GSSAPI as ldap authentication method in Evolution.
I don't know either, but my evolution shows the GSSAPI mechanism. In fact it shows all on my system available sasl mechanisms.
And actually now you start calling it "misguided course", I would really like to know what the proper course is.
My basic request is:
- no passwords stored in the LDAP database.
- LDAP authenticates users against a Kerberos server.
What do you mean by LDAP authenticates users against Kerberos? Authentication is the job of KDC, or do you want to run the Kerberos Database in LDAP?
After a day of googling, searching for terms like the subject of this thread, I am not really closer to a solution. All solutions that I DID find were following variations of what I tried to do, and what you call misguided.
As I mentioned already in a previous mail, it is quite simple to set up a kerberized system, just read the installation and administration documents of MIT krb5 and configure network based clients to use GSSAPI.
The thing that I talked about when I mentioned "support out of the box or with minor settings" was simply the Kerberos authentication. Why doesn't that work easily? Why can I not just tell openldap to use kerberos, be it via PAM, via GSSAPI directly, whatever - the method I don't care about - as long as it works. And the frustration now is that it still doesn't work.
I think you should get acquainted with principal authentication and authorization models, a LDAP server is just a dumb identity storage system and not a authentication and authorization broker as you seem to expect.
-Dieter