On Tue, 2008-07-01 at 17:02 +0700, Le Trung Kien wrote:
Hi, thank you, now I understand what happen underlying the process. As you said, then saslauthd do no work in my case. It is just a SASL plugin of LDAP client works here. And now, I have to configure phpldapadmin but I do not know what value I should assign to SASL realm option, and so on. I assumed that I should have a saslauthd for authentication via Kerberos, etc. But I am not sure. Please, could you give me some hint to using SASL in my case ?
thank you.
2008/7/1 Buchan Milne bgmilne@staff.telkomsa.net:
OpenLDAP does not use Kerberos directly, instead it uses SASL. If your LDAP server has a Kerberos service principal, and has the SASL GSSAPI plugin installed and enabled, then the OpenLDAP client utilities will try appropriate SASL mechanisms (if the user has a ticket). So, you are using SASL to authenticate via Kerberos your users when accessing the LDAP service. Regards, Buchan
how did you configure your ldap server + kerberos in first place? did you use some kind of tool (YAST?) because it does not seem you know exactly what you are doing (no offence here, it's quite complex stuff)
to resume it all:
you can bind to LDAP server two ways: - simple bind - SASL bind
look at the simple bind as sending username/password in cleartext to the server. (insecure if not over SSL/TLS) SASL on other side can use any of supported mechanisms (DIGEST-MD5, GSSAPI...)
in your case you use gssapi(kerberos).
if your ldap server is properly configured and you have libsasl-modules-mit-gssapi (or whatever they call it on your distro) installed you can bind to ldap server via gssapi (having previously obtained the TGT ticket) the fact that ldapwhoami works means, that you have the plugin, you have the ticket, you have the ldap kerberos pricipal in keytab and the sasl-regexp is properly set up in slapd.conf
now comes the saslauthd into the game:
what if your application which requires authenticate to ldap does not support SASL(GSSAPI) ? (most addressbooks like outlook, evolution.. does not)
if your app can do only simple bind to ldap (username/password) you need a mechanism to forward these to KDC and use the information it gives back (authentication succeeded). this is what saslauth does. it acts as the middle man between LDAP and kerberos KDC. this is also called (according to openldap documentation) an pass-through authentication. you only need it if you want to use simple (not SASL) binds to LDAP using kerberos passwords.(SSL in this case is a must)
it's all very nicely described here: http://www.openldap.org/doc/admin24/security.html#Pass-Through% 20authentication
hope i made it a little bit clearer;
M.
-- Le Trung Kien.