Hi all,
i setup an openldap server
which is used as MIT-Kerebros backend.
User-Principals have -
besides the kerberos attributes - appropriate objectclasses
(e.g. simplesecurityObject, organizationalRole) to make also a
simple authentication with the attribut userpassword possible.
To consolidate both
credentials i made a setup of SASL-Pasthrough with backend
Kerberos. So i set the value of the userpassword attribut to.
{SASL}<user>@<realm> and made the required configurations for the saslauthd.
With this configuration all
kind of authentications will use the kerberos-password.
I made various tests but
there seems to be an issue with preauthentication in openldap.
I got the follwoing result:
=>testsaslauthd is always working if the preauth flag is on or off
=>ldapsearch -x is only working with preauth-flag disabled.
=> It makes no difference if MIT Kerberos use its normal backend
Keep in mind: For clear
testing condtions saslauthd-caching has to be disabled !
Don't use the -c Option in
saslauthd - otherwise it could happen that your ldapsearch -x
is working because you had success with a former
testsaslauthd-command !
Has someone a similar setup which is working with enabled preauth ?
Or does someone know if this is supported or not ?
I use LDAP 2.4.44 with cyrus-sasl-2.1.23.
Thanks in advance.
Kind regards
Uli-- =================================== Ulrich Tehrani Am Ulrichshof 19 79189 Bad Krozingen